Anthem Inc. will have to submit a plan to regulators outlining how the company plans to deal with its latest data breach, S&P Global Market Intelligence has learned.
Regulators met with Anthem executives about the matter in a closed-door session during the National Association of Insurance Commissioners conference in Philadelphia.
The Market Actions Working Group of the NAIC privately met to discuss at least three companies during the organization's summer meeting. One regulator exiting the meeting, where Anthem lawyers waited outside while commissioners deliberated, told S&P Global Market Intelligence that the health insurer will have to explain to regulators how it will handle the recent breach.
An Anthem spokesperson confirmed that the company was asked to attend a confidential NAIC meeting but directed all questions to the NAIC committee.
Indiana Insurance Commissioner Stephen Robertson said he had no comment when he was asked after the meeting about any remediation plans. But in an Aug. 7 statement, Robertson said he had met with Anthem representatives personally to ensure they were taking the appropriate steps to address the data breach and that he would continue to monitor the situation.
Anthem on its website said July 24 that a third-party vendor, LaunchPoint Ventures LLC, recently discovered a privacy incident that affects approximately 18,580 Medicare members. The incident involved an employee likely involved in identity theft-related activities, Anthem said.
LaunchPoint learned that some other non-Anthem data may have been misused by the employee, it said. The company found that the employee emailed a file with protected information to his personal address that included protected health information of Anthem members. The personal information in the file included Social Security numbers and other identification and enrollment information, Anthem said.
This is not the first time Anthem has come before the NAIC following a cybersecurity incident. Executives for the managed care company spoke during an open cybersecurity meeting at an NAIC meeting shortly after a massive data breach reported in 2015. That incident potentially compromised around 79 million individuals' personal information.
According to a Reuters report, Anthem will pay $115 million to settle lawsuits over that breach. The California Department of Insurance said in January that Anthem is spending more than $260 million for security improvements and remedial actions in response to the incident. An investigation led by a handful of state insurance commissioners found that the incident reported in 2015, which actually occurred earlier, involved a foreign national. Attempts to glean details from the Federal Bureau of Investigation resulted in no comment at the time.
"When you look at the data breaches plaguing America’s financial services sector, the two weakest links for companies continue to be their vendors and insider threats," said Adam Hamm, a managing director focused on cybersecurity, risk and compliance at Protiviti, a global consulting company. Hamm led the NAIC's efforts on cybersecurity during the time of the first Anthem breach, up through the end of 2016.