US health insurance giant Anthem has reported another data breach that may have exposed the personal data of more than 18,000 Anthem Medicare members. LaunchPoint Ventures, one of Anthem's consulting firms, discovered in April that one of its employees was possibly involved in identity theft-related activities. Following an investigation, the third-party firm found that the employee had emailed a file containing the data of Anthem's members to his personal email account on 8 July last year.
The file contained the Protected Health Information (PHI) of various members including their social security numbers, health plan ID numbers, dates of enrollment and Medicare contract numbesr. In some cases, the last names and dates of birth were included.
On 28 May, LaunchPoint said it learned that some other "non-Anthem data" may have also been misused by the employee in question. It added that it is still unclear whether the email was sent for legitimate work purposes or with malicious intent.
The firm said it reported the incident to Anthem on 14 June.
"LaunchPoint has terminated the employee, hired a forensic expert to investigate, and is working with law enforcement," Anthem said in a release. "The employee has been incarcerated and is under investigation by law enforcement for matters unrelated to the e-mailed Anthem file. LaunchPoint is reinforcing existing policies and protocols and is evaluating additional safeguards to prevent any similar incidents from occurring in the future."
Anthem reported the breach to the Department of Health and Human Services on 24 July, noting that 18,580 people were impacted by the breach. Affected members are now being contacted by Anthem and will be offered two years of free credit monitoring and identity theft restoration services by LaunchPoint.
The health insurer has advised customers to monitor their account statements and credit reports for any potential suspicious activity or identity theft incidents.
IBTimes UK has reached out to Anthem for comment.
News of the latest breach comes just a month after Anthem was ordered to pay a record $115m (£86.9m) to settle a class action lawsuit over the massive 2015 data breach that saw hackers gain access to the personal data of nearly 80 million people.
In 2015, Anthem was fined $1.7m by the the US Department of Health and Human Services over another data breach in 2010, back when it was known as WellPoint. That breach saw the disclosure of over 612,000 customers' personal information due to inadequate online security policies and procedures.