Insurer Anthem recently began notifying 18,580 of its members that their personal information may have been exposed when an employee of third-party vendor LaunchPoint Ventures, which provides insurance coordination services to Anthem, emailed the data to his personal email address on July 8, 2016.
On April 12, 2017, LaunchPoint learned that the employee was involved in identity theft, and hired a forensic firm to investigate. On June 12, 2017, the firm determined that the employee had stolen the Anthem data, including members' protected health information (PHI). The company then notified Anthem on June 14.
The exposed data includes Medicare ID numbers (including Social Security numbers), Health Plan ID numbers, Medicare contract numbers, and dates of enrollment. In some cases, last names and birthdates were also exposed.
"LaunchPoint terminated the employee, hired a forensic expert to investigate, and is working with law enforcement," Anthem said in a blog post about the breach. "The employee is in prison and is under investigation by law enforcement for matters unrelated to the emailed Anthem file."
Managing Cyber Risk
"As digital ecosystems grow increasingly interconnected, it's critical that organizations understand and manage their own cyber risk in order to make decisions based upon the security postures of the third parties with access to their networks," Kneip said.
And Bitglass CEO Rich Campagna suggested by email that the incident could have been prevented with more effective controls around sharing of data.
"Whether it's a careless auto-fill of an external email address in a file sharing prompt, or a malicious attempt to leak data, as it appears to be the case in this most recent Anthem breach, healthcare organizations must use technologies like data leakage prevention (DLP) to identify sensitive patient data and to build controls around when that data can be accessed and by whom," Campagna said.
Ultimately, ThinAir CEO Tony Gauda said by email, organizations should never underestimate the insider threat. "But the unfortunate reality is that far too many organizations lack visibility and context into how data is created, accessed, moved and shared," he said. "No security system can prevent every attack. You must have a real-time visibility into data and its usage -- specifically any/all interactions with that data by insiders."
The Insider Threat
A recent SANS Institute survey [PDF] found that just 23 percent of respondents believe outside attackers do the most damage -- 40 percent said the worst breaches come from malicious insiders, and 36 percent said they they're caused by unintentional insiders.
Still, 38 percent of respondents said the systems and methods they use to monitor insider activity are ineffective.
What's more, just 18 percent of respondents have formal incident response plans in place for insider attacks, though 49 percent said they're in the process of developing such plans.
Forty-five percent of respondents don't know how much an insider breach would cost their organizations.
"Malicious insiders have always been a threat, but the risk is increasing from 'unintentional' insiders that are tricked into giving their login information to callers from fake help desks or clicking on attachments that release password-stealing malware," SANS instructor and survey report author Eric Cole said in a statement. "Every organization is only one click away from a potential compromise."