The Intractable Cybersecurity Threat of the “Business Associate”

Health Insurer Anthem Inc., which recently agreed to the largest ever settlement in a data breach case, is having to deal with another incident. This one potentially affects far fewer customers than the massive 2015 breach that gave rises to last month’s settlement – 18,580 compared to almost 79 million – but it came by way of a modus operandi that is particularly insidious and difficult to defend,  A former employee of  a company that provides “insurance coordination services” to Anthem emailed personal information about some Anthem customers to his personal email address. It’s not known whether he did so for legitimate business reasons, according to Anthem, and there is no indication the data was misused, although the former employee is currently incarcerated and is said to be under investigation for an unrelated matter. This article from an Information Security Media Group website quotes a number of experts with advice on how to prevent or reduce the likelihood of this kind of unauthorized disclosure, but the consensus seems to be it’s virtually impossible to take the risk down to zero. One attorney suggests that smaller organizations that consider expensive “data loss prevention” technology, but then decide against it because of its cost, should at least document the fact they looked into it, as the day may come when it will serve them well in a regulatory inquiry.