HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Anthem Business Associate Data Breach Impacts 18,500 Plan Holders

Anthem Inc., has only recently settled the lawsuit arising from its 2015 data breach that affected 78.8 million plan holders. Now, thousands of its members are being notified that their protected health information has been exposed in another incident.

This time it was not a cyberattack, but a data breach involving an employee of one of its business associates, Indiana-based LaunchPoint Ventures LLC. LaunchPoint is contracted to provide coordination services, for which it required to be provided with access to plan members’ protected health information.

On April 12, 2017, LaunchPoint became aware that one of its employees was alleged to have been involved in identity theft related activities, prompting the firm to launch an investigation into the possibility of data theft. The business associate hired the services of a third-party forensic firm to assist with the investigation.

On May 28, 2017, LaunchPoint learned that other ‘non-Anthem’ data may also have been compromised. On June 12, 2017, it was confirmed that the PHI of 18,580 Anthem health plan members had been accessed. The information had also been emailed to the employee’s personal email account in July 2016. Anthem was notified of the incident on June 14, 2017.

Get The Checklist

Free and Immediate Download
HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

LaunchPoint has confirmed that the information stolen by the employee includes Medicare ID numbers, Social Security numbers, Medicare contract numbers, health plan ID numbers and dates of enrollment, with ‘a very limited number’ of last names and birth dates also included in the emailed data set.

The employee has been terminated for breaching company polices and LaunchPoint is working closely with law enforcement and assisting with a criminal investigation. Anthem reports that the employee is now behind bars for crimes unrelated to the theft of plan member data. LaunchPoint is assessing its policies and protocols and will be implementing additional safeguards to prevent future security breaches.

Anthem has reported the data breach to the Department of Health and Human Services’ Office for Civil Rights and has issued media notices. The breach impacts individuals in all states where it does business.

LaunchPoint will be sending breach notification letters to all individuals impacted by the incident. Those individuals will be offered credit monitoring and identity theft restoration services without charge for a period of two years.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.