HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Foreign Government-Backed Hacker Was Behind 2015 Anthem Breach

The massive 2015 data breach at Anthem Inc., which resulted in the theft of more than 78.8 million health plan members’ records, was likely the work of a foreign government-backed hacker, according to a recent report issued by the California Department of Insurance.

Anthem Inc., the second largest health insurer in the United States, announced the massive cyberattack in February 2015, almost a month after the breach was discovered. However, the cyberattack occurred almost a year earlier with Anthem’s database discovered to have been infiltrated on February 18, 2014.

Data stolen in the attack included members’ Social Security numbers, birth dates, employment details, addresses, email addresses, and Medical identification numbers. The attackers were able to bypass multiple layers of cybersecurity defenses with a single phishing email sent to an employee of one of Anthem’s subsidiaries. The response to the email allowed the attacker to download malware onto Anthem’s network, which in turn allowed access to Anthem’s database of members. The attackers also managed to infiltrate 90 other information systems used by the insurer.

Anthem employed cybersecurity firm Mandiant to investigate the breach, although the independent investigation conducted by California Department of Insurance, with assistance from cybersecurity firm CrowdStrike and Alvarez & Marsal Insurance and Risk Advisory Services, has taken considerably longer to conduct. While Mandiant’s investigation centered on how the breach occurred, the individuals affected, and the extent of the breach, the California Department of Insurance’s investigation probed deeper and attempted to determine who was responsible.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

It was only recently that the California state agency discovered a credible link between the cyberattack and a foreign-government backed hacker. No announcement has been made as to which foreign government has been linked to the attack. The California Department of Insurance chose not to announce details of the government suspected to be linked to the attack as a federal investigation is still ongoing. However, a number of cybersecurity firms have linked the malware used in the attack to China.

The California Department of Insurance investigation was led by seven insurance commissioners and involved 40 other state and territorial insurance commissioners. One of those insurance commissioners, Dave Jones, said “our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”

The investigators were able to identify the attacker with “a significant degree of confidence”, although they only had “a medium degree of confidence” that the attacker was backed by a foreign government. Previous cyberattacks linked to the foreign government suspected of assisting in the attack have not resulted in any stolen data being passed on to non-state actors, yet the data from the Anthem attack appears to have been passed on to non-state groups.

Preventing cyberattacks such as Anthem’s is difficult. A coordinated effort between government agencies and private sector firms is required. Jones said “Insurers and regulators alone cannot stop foreign government-assisted cyberattacks.”

The California Department of Insurance investigation also looked at the cybersecurity defenses Anthem had put in place prior to the breach, the actions taken immediately after the breach was discovered, and the plans put in place to protect members from harm. The investigators determined that the defenses put in place to prevent cyberattacks were reasonable and the plan implemented to resolve the breach was rapid an effective.

Vulnerabilities were discovered during the course of the investigation and were communicated to the insurer and incorporated into its remediation plan. After cybersecurity defenses were improved post-breach, the investigators arranged for Anthem’s new cybersecurity defenses to be penetration tested. The California Department of Insurance found the improvements to be reasonable.

Early estimates on the breach resolution costs suggested Anthem would have to pay in excess of $100 million. However, the cost to the insurer has been significantly higher. Anthem Inc., has spent $260 million just to shore up its cybersecurity defenses and improve its information systems to prevent further attacks. All individuals affected by the breach have been offered 2 years credit monitoring/protection services free of charge, and the company is currently embroiled in numerous class-action lawsuits. There is also the possibility that the Department of Health and Human Services’ Office for Civil Rights may take action against the insurer. The final cost of the Anthem breach will not be known for many months to come.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.