Anthem Healthcare, photo from Anthem Healthcare

A third-party breach may have exposed approximately 18,580 customers’ personal and medical data from Anthem Healthcare. This breach comes a month after Anthem agreed to pay $115 million to settle a class-action lawsuit over the 2015 breach that compromised personal information of almost 80 million customers.

Anthem spokesman Gene Rodriguez reported that the incident links to LaunchPoint Ventures LLC, a firm that provides insurance coordination services to Anthem. According to Rodriguez, on April 12, 2017 LaunchPoint learned that one of its employees was likely involved in identity theft-related activities. After an investigation from LaunchPoint, the company learned that some other, non-Anthem data may have been misused by this employee.

“LaunchPoint then learned the employee emailed a file with information about Anthem companies’ members to his personal email address on July 8, 2016. This action violated LaunchPoint’s policies,” writes Rodriguez in a statement. “The investigation is ongoing. LaunchPoint does not know if the email was related to a legitimate work purpose.”

The information exposed includes Medicare ID numbers, which consists of a Social Security number, Health Plan ID numbers, Medicare contract numbers, and dates of enrollment.

A very limited number of last names and dates of birth were also included in the exposed information, and LaunchPoint is in the process of contacting these individuals, according to the statement.

According to Rich Campagna, CEO of Bitglass, a cloud security software company, healthcare organizations need to use technologies like data leakage prevention to identify sensitive patient data and then build controls around when that data can be accessed, and by whom. He said that the Anthem breach appears to be the case of a malicious attempt to leak data, as compared to a “careless auto-fill of an external email address in a file sharing prompt.”

In this incident, simple rules could have been implemented that prohibit such a large volume of patient data from being shared outside the organization without internal approval,” said Campagna.

Rodriguez also notes that LaunchPoint has terminated the employee, hired a forensic expert to investigate, and is currently working with law enforcement. The employee is also under investigation for matters unrelated to the Anthem file, and is currently incarcerated.

Businesses also need to better assess risk of data exfiltration and malicious intent across the enterprise, and this includes third party contractors like LaunchPoint in the Anthem incident, according to founder and CEO of Balbix, Gaurav Banga. Balbix offers a continuous risk heat map for enterprises.

“Specifically finding the data stores within the enterprise that have a high business impact and are at an increased likelihood from being attacked by infected devices or malicious users, can help predict and prevent such attacks, before they happen,” said Banga. “Continuous risk assessment and monitoring of the enterprise attack surface can reveal such risks proactively.”

In the meantime, LaunchPoint is providing those impacted with information on how to better protect against identify theft and fraud. The company is also giving those impacted access to two years of credit monitoring and identity theft restoration services with AllClear ID at no cost.