A data breach may have exposed personal health information of more than 18,000 Anthem Medicare enrollees, after one of the insurer's health care consulting firms discovered that one of its employees had been involved in identity theft.
Anthem says it was contacted about the breach by the consulting firm LaunchPoint Ventures on June 14. LaunchPoint discovered two months earlier that one of its employees had been involved in involved in a case of identity theft, and further investigation discovered that the worker had "emailed a file with information about Anthem companies' members to his personal email address," a year ago.
In all, more than 18,500 Anthem Medicare members' Social Security and Medicare identification data may have been exposed. The health insurer reported the breach to the Department of Health and Human services on July 24, the same day LaunchPoint began notifying members, according to an Anthem spokeswoman.
Why did it take so long for them to reach out to members?
"Anthem had to work with LaunchPoint to determine if the information contained in the report corresponded to Anthem family health plan members," explained Anthem public relations director Gene Rodriguez, adding: "(We) had to ensure LaunchPoint had accurate address information in order to notify those impacted."
This is the second major data breach for Anthem in two years. Last month, the health insurer agreed to a $115 million settlement to resolve a class action lawsuit over a 2015 breach that saw hackers gain access to the personal information of nearly 80 million people. That agreement, which must still be approved by a federal judge, would mark a record for a cyber-breach.
In 2013, the company paid $1.7 million to resolve a federal complaint that it exposed protected health information of more than 600,000 people, due to online security failures.
The contractor from LaunchPoint has been "terminated," according to Anthem, and is incarcerated on charges unrelated to the Anthem breach. The company further stated that LaunchPoint is reevaluating its security safeguards.
Individuals' whose data were exposed will be provided with free credit monitoring and identity theft restoration services for two years.
—By Bertha Coombs. Follow her on Twitter: @coombscnbc