- The large-scale cybersecurity attack on Anthem in 2015 that led to 78.8 million consumer records potentially being exposed in a data breach was caused by a foreign nation attacker, according to the California Department of Insurance.
An investigation into the Anthem cyberattack found the identity of the attacker with a high degree of confidence” and “concluded with a medium degree of confidence that the attacker was acting on behalf of a foreign government.”
“This was one of the largest cyber hacks of an insurance company's customer data," Insurance Commissioner Dave Jones said in a statement. “"Insurers have an obligation to make sure consumers' health and financial information is protected. Insurance commissioners required Anthem to take a series of steps to improve its cybersecurity and provide credit protection for consumers affected by the breach. In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government.”
The Anthem breach was first discovered by the insurer on January 27, 2015, and Anthem announced the incident in early February 2015.
Potentially exposed information included names, dates of birth, medical IDs or Social Security numbers, street addresses, and email addresses. Employment information, some of which included income data, was also potentially put at risk, Anthem explained at the breach’s announcement.
“We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data,” Anthem president and CEO Joseph Swedish said in a statement at the time.
The insurance department’s investigation concluded that Anthem took reasonable measures to protect its data before the data breach, and had employed a remediation plan which helped lead to a quick and effective breach response.
“The team noted Anthem's exploitable vulnerabilities, worked with Anthem to develop a plan to address those vulnerabilities, and conducted a penetration test exercise to validate the strength of Anthem's corrective measures,” the California Department of Insurance said in a statement. “As a result, the team found Anthem's improvements to its cybersecurity protocols and planned improvements were reasonable.”
It was also found that the initial breach occurred on February 18, 2014. A user within one of Anthem's subsidiaries reportedly opened a phishing email containing malicious content.
“Opening the email permitted the download of malicious files to the user's computer and allowed hackers to gain remote access to that computer and at least 90 other systems within the Anthem enterprise, including Anthem's data warehouse,” the department explained.
Following the data breach, Anthem agreed to enhance its information security systems and to provide credit protection to all consumers whose information was compromised. The insurer is also paying more than $260 million dollars for security improvements and remedial actions in response to this breach.
The Anthem cyberattack was the largest healthcare data breach of 2015, and also led to the organization facing serious scrutiny for its delay in notifying individuals of the incident.
In March 2015, Senate health committee Chairman Lamar Alexander and Ranking Member Patty Murray wrote a letter to Swedish, calling for notification letters to be sent to all 78.8 million potentially affected individuals.
“While we appreciate your efforts to keep our Committee informed of your efforts to respond to the attack after you became aware of it, we are troubled by Anthem’s delay in notifying these 78.8 million Americans,” the duo wrote.
At the time Alexander and Murray wrote to Anthem, more than 50 million Americans had yet to receive a data breach notification letter.
“While we understand the logistical challenges associated with contacting millions of people, the highly sensitive nature of this information makes early notification essential, and we are concerned with your slow pace of notification and outreach thus far,” Alexander and Murray stated. “We are writing to formally request that you speed up the pace of notifications, and share with our committee what steps you plan to take in the next few days, to dramatically increase the pace of notification.”