This week we learned another Anthem data breach is in the news – just one month after the health insurer agreed to pay $115 million to settle a class action lawsuit that stemmed from the 2015 breach that impacted nearly 80 million members and employees.
Fortunately for all involved, the new breach impacts just 18,500 of the company’s Medicare patients, a fraction of the people impacted in the 2015 incident. Initial reports say that an employee of one of Anthem’s third party contractors emailed a file containing personal health information (PHI), which included social security numbers, to his personal email. The employee has been arrested and it appears as though Anthem or the third party caught it early by taking precautionary steps with their partners to minimize the risk.
There is silver lining to what could have been a nightmare for Anthem: it’s likely the alleged thief was caught before he could abscond with far more data. As we know, Anthem provides medical insurance for millions of Americans, and if this person had been able to remain undetected for an extended period, the impact could have been catastrophic, both for Anthem and for patients.
Third party contractor risk
This incident is a good reminder for all organizations of how incredibly difficult it is to monitor the third party partners they rely on for additional services and processing. Difficult or not, it remains a critical necessity. Compliance auditing and minimum security standards (for example, requiring a solid endpoint strategy and products that can actively monitor devices for customer data) should be the ground floor for companies that deal with sensitive data, especially PHI. Which brings up another important point - this breach should be recognized within the context of GDPR which comes into full force in May, 2018.
While this particular incident appears to have been limited to a small number of American citizens, if a similar breach were to happen at another American company and the stolen data contained EU citizen data, we would likely see significant punitive penalties levied by the EU. Under the coming regulations, parties who collect the data initially are responsible for the use of customer data, even when it is handed off to a third party.
HIPPA has some very strong teeth of course, and I expect the fallout from this breach to be significant for Anthem and the processor. I do think that the relatively small number of records stolen may temper the damages to both organizations however.
If you're collecting, storing, and handing off data, it is priority number one to ensure you know where all that data is, where it ends up, and who is using it at all times - no matter what. Identity theft through cybercrime continues to be a multi-billion dollar business for cybercriminals and those numbers are not likely to decrease.