Between February 2014 and January 2015, the Chinese state-sponsored threat
group known as Deep Panda conducted a sustained intrusion into Anthem Inc.,
the second-largest health insurer in the United States. Using targeted
spear-phishing emails and the Sakula remote access trojan, the attackers
maintained persistent access for approximately 11 months, exfiltrating the
personal data of 78.8 million current and former members and employees.
The breach resulted in a then-record $16 million HIPAA settlement with the
Department of Health and Human Services and a $115 million class action
settlement.
## Key Facts
- .**What:** Chinese state-sponsored hackers breached Anthem over an 11-month intrusion.
- .**Who:** 78.8 million current and former Anthem members and employees.
- .**Data Exposed:** Social Security numbers, medical IDs, income data, and personal details.
- .**Outcome:** Record $16M HIPAA settlement and $115M class action settlement.
## What Was Exposed
- .Social Security numbers for 78.8 million current and former Anthem members and employees
- .Medical identification numbers linked to insurance coverage records
- .Full names, dates of birth, and home addresses
- .Email addresses and employment information including income data
- .Health plan enrollment data including plan type, coverage dates, and member identifiers
- .Employee records including job titles, departments, and hiring dates for Anthem staff
While Anthem emphasized that no medical records or claims data were stolen,
the exposed dataset was profoundly sensitive. Social Security numbers paired
with health plan identifiers, dates of birth, and income data constitute a
comprehensive identity profile.
The medical ID numbers, in particular, enable medical identity fraud-a
category of identity theft where stolen health credentials are used to
obtain medical care, prescription drugs, or fraudulent insurance
reimbursements under the victim’s identity. Medical identity fraud is
notoriously difficult to detect and remediate because it corrupts medical
records with another person’s health information, potentially leading
to dangerous treatment errors.
## The Attack: Deep Panda and Sakula Malware
The intrusion began in February 2014 when at least one Anthem employee,
working in a subsidiary, clicked on a link in a spear-phishing email. The
phishing message was carefully crafted to appear as a legitimate internal
communication, and the embedded link directed the victim’s browser to
a domain controlled by the attackers, which delivered the Sakula remote
access trojan.
Sakula provided the attackers with persistent remote access to the compromised
workstation, including keylogging, screen capture, and the ability to execute
arbitrary commands. From this initial foothold, the attackers harvested the
employee’s credentials and used them to move laterally through Anthem’s
network.
Over the following months, they escalated privileges, eventually obtaining
access to the credentials of a database administrator with access to
Anthem’s enterprise data warehouse. This warehouse contained the
centralized personal information of all Anthem members across its
various health plan brands, including Blue Cross Blue Shield of California,
Anthem Blue Cross Blue Shield, and Empire Blue Cross Blue Shield.
The attackers ran queries against this warehouse to extract member data,
packaging it into compressed archives for exfiltration. The data was
transmitted to external servers through encrypted channels.
The intrusion remained undetected for approximately 11 months. It was
discovered on January 27, 2015, when a database administrator noticed
that a query was running under his credentials that he had not initiated.
The administrator reported the anomaly to Anthem’s internal security
team, which triggered an investigation that revealed the full scope of
the compromise. Anthem publicly disclosed the breach on February 4, 2015.
## Attribution and Criminal Indictment
The attribution to Chinese state-sponsored actors was made by multiple
cybersecurity firms based on the Sakula malware family, the command-and-control
infrastructure, and the operational patterns of the intrusion. The Sakula RAT
had been previously linked to Chinese intelligence operations targeting
defense contractors, aerospace companies, and technology firms.
In 2019, the U.S. Department of Justice indicted Fujie Wang and an unnamed
co-conspirator, both Chinese nationals, for their roles in the Anthem breach
and related intrusions into other U.S. companies. The indictment detailed
how the hackers used the same infrastructure and techniques across multiple
targets, confirming the campaign’s state-sponsored nature.
## Regulatory Analysis
The Anthem breach triggered enforcement actions under multiple federal and
state frameworks, with the HIPAA enforcement action establishing the most
significant precedent for healthcare data security in the United States.
**HIPAA Privacy Rule:** The Privacy Rule establishes national standards
for the protection of individually identifiable health information, known as
protected health information (PHI). While Anthem argued that the stolen data
did not include medical records or claims data, HHS took the position that
the combination of health plan identifiers, member IDs, and enrollment
information constituted PHI under the broad HIPAA definition.
**HIPAA Security Rule - Risk Analysis Failures:** The HHS Office
for Civil Rights (OCR) investigation focused on Anthem’s compliance with
the HIPAA Security Rule, which requires covered entities to implement
administrative, physical, and technical safeguards for electronic PHI.
OCR’s findings identified several critical deficiencies:
- .Anthem failed to conduct an enterprise-wide risk analysis sufficient to
identify all risks and vulnerabilities to the confidentiality, integrity,
and availability of ePHI
- .The risk analysis that Anthem had performed was incomplete, failing to
cover all systems and applications that created, received, maintained,
or transmitted ePHI
- .Anthem lacked sufficient controls for information system activity review,
meaning it did not have adequate mechanisms to monitor and detect
unauthorized access to its systems
- .The 11-month dwell time was cited as evidence of inadequate monitoring
- .Anthem had insufficient technical policies and procedures for access
controls, specifically failing to implement adequate controls to restrict
access to ePHI to authorized persons and software programs
**Record HIPAA Settlement:** In October 2018, Anthem agreed to pay
$16 million to settle the HIPAA violations-the largest HIPAA settlement
in history at that time. The settlement also required Anthem to undertake
a comprehensive corrective action plan including an enterprise-wide risk
analysis, risk management plan, policies and procedures review, and
enhanced employee security training. Anthem was subject to two years of
monitoring by HHS.
**State Attorneys General:** In addition to the federal HIPAA
enforcement, Anthem settled with attorneys general from all 50 states.
The class action settlement totaled $115 million. Individual states
pursued enforcement under their own consumer protection and breach
notification statutes.
The multi-state action demonstrated that healthcare breaches of this magnitude
face a compounding enforcement landscape where federal HIPAA penalties are
supplemented by state-level actions, creating a cumulative financial impact
far exceeding any single enforcement action.
## What Should Have Been Done
**Enterprise-Wide Risk Analysis:** The cornerstone of HIPAA Security
Rule compliance is a comprehensive risk analysis covering all systems that
touch ePHI. Anthem’s incomplete risk analysis failed to identify the
vulnerability of its enterprise data warehouse to the type of credential-based
attack that Deep Panda executed. Healthcare organizations must ensure their
risk analyses are truly comprehensive, covering not only clinical systems but
also administrative databases, data warehouses, and any system that aggregates
or centralizes member information.
**Advanced Threat Detection:** The 11-month dwell time indicates that
Anthem’s security monitoring capabilities were insufficient to detect a
sophisticated but not invisible intrusion. The attackers ran large database
queries, compressed data, and exfiltrated it over encrypted channels-activities
that generate detectable anomalies with proper monitoring.
User and entity behavior analytics (UEBA) would have flagged the unusual
database queries running under the administrator’s credentials. Network
anomaly detection would have identified the unusual volumes of encrypted
outbound traffic. Security information and event management (SIEM)
correlation rules could have linked the phishing event to subsequent
lateral movement and privilege escalation.
**Multi-Factor Authentication:** The attackers were able to access
critical database systems using stolen credentials alone. Multi-factor
authentication for all access to systems containing PHI would have
significantly impeded the attackers’ lateral movement. Even after
compromising an employee’s password through the initial phishing attack,
the attackers would have been unable to authenticate to database systems
without a second factor.
**Database Activity Monitoring:** The queries used to extract 78.8 million
records from the enterprise data warehouse should have triggered immediate
alerts. Database activity monitoring systems can detect anomalous query
patterns, unusual data volumes, and access from unexpected sources. For a
database containing the personal information of nearly 80 million individuals,
real-time monitoring of all query activity is not optional-it is essential.
**Data Encryption at Rest:** While Anthem encrypted data in transit,
the database records were not encrypted at rest. Had the data warehouse
employed encryption with properly managed keys, the stolen data would
have been significantly more difficult for the attackers to use.
Encryption at rest is explicitly recommended by the HIPAA Security Rule
as an addressable implementation specification, and for a dataset of
this sensitivity and scale, the decision not to encrypt was indefensible.
**Anti-Phishing Controls:** The initial compromise vector was a
spear-phishing email. Advanced email security gateways, URL sandboxing,
and employee phishing simulation programs reduce the probability of a
successful initial compromise. While no anti-phishing control is perfect,
defense-in-depth approaches significantly reduce the likelihood that
a single phishing email will lead to a catastrophic breach.
The Anthem breach demonstrated that nation-state threat actors view healthcare
data as a high-value intelligence target, and that the U.S. healthcare
sector’s compliance-oriented approach to security was insufficient against
advanced persistent threats. The $16 million HIPAA settlement and $115 million
class action established that healthcare organizations face severe financial
consequences for security failures, even when the attackers are state-sponsored.
For every organization holding health data, the Anthem case is proof that
compliance checklists are not a substitute for genuine security capabilities.