So far in 2017, the healthcare sector has reported 233 breach incidents – affecting over 3 million patient records – to the US Department of Health and Human Services, state attorney generals, and media. Insider attacks accounted for 41% of these breaches.
A very recent incident of insider threat within the healthcare sector emerged with news of a breach at Anthem Medicare vendor, LaunchPoint Ventures.
LaunchPoint is an Indiana-based company that provides coordination services to Anthem. As part of contracted services, LaunchPoint was provided with access to Anthem plan members’ protected health information (PHI).
On May 28, 2017, LaunchPoint found that an employee emailed a file with PHI – Social Security numbers, Medicare ID numbers, Medicare contract numbers, dates of enrollment and health plan ID numbers – to his personal email address on July 8, 2016. This action was against LaunchPoint’s policies.
On June 12, LaunchPoint determined the file included PHI of Anthem members and reported the incident to Anthem on June 14. The data from 18,580 members was included in this breach.
As a result of the breach, LaunchPoint is providing impacted members with information on how to better protect against potential identity theft and fraud, as well as access to two years of credit monitoring and identity theft restoration services with AllClear ID at no cost.
This isn’t the first time Anthem has experienced a significant data breach. In 2015, hackers broke into a database containing the personal data of up to 80 million customers and employees. Anthem recently agreed to pay $115 million to settle class-action lawsuits stemming from this breach.
Key Characteristics of the Attack
- The attack was carried out by an employee of a vendor. It’s unclear if there was malicious intent, or if this was simply a case of negligence.
- The employee had access to PHI, and was able to send this data via email to a personal account.
- It was nearly a year before the data breach was discovered, and even longer before the incident was reported to Anthem and its members.
Lessons Learned from the LaunchPoint Data Breach and Prevention Tips
What can we learn from this particular insider threat and, more importantly, what steps can organizations take to avoid similar breaches? Based on the characteristics of this breach, here are several prevention tips:
- Hold third parties to a high standard. Ensure vendors and partners have strong data protection policies and safeguards in place. Ensure access to data is on a “need to know” basis: only staff that need access to systems to do their jobs should have access. Enquire about the third party’s security awareness training: is it delivered to all employees at onboarding and refreshed periodically?
- Catch insider breaches promptly. Use online monitoring technology to ensure you are constantly listening for threats. Prompt attention to breaches will help mitigate damage and allow for rapid notification of affected parties.
- Policies are not enough. LaunchPoint had a policy against emailing data outside the organization, but this didn’t prevent the breach. Online monitoring technology can catch large file transfers via email.
- Limit, log, and monitor use. Use online monitoring technology to limit access to sensitive data, log access to such data, and alert IT staff to breaches.
- Watch out for large data transfers. Monitor large data transfers going out of the organization, whether by email, USB devices, or via cloud services.
- Monitor outgoing e-mails. Be aware of outgoing e-mail to personal accounts or a large amount of data being transmitted via email.
Insiders – whether employees or subcontractors – often have easy access to sensitive data. Security-awareness training should be a prerequisite for access to this data. Then, it’s critical to monitor ongoing access to this data to help prevent loss and mitigate damage.