Anatomy of a Breach

Anatomy of a Breach: Anthem — 78.8 Million Health Records and the Largest Healthcare Breach in History

> series: anatomy_of_a_breach —— part: 074 —— target: anthem_inc —— records: 78,800,000 —— attacker: deep_panda<span class="cursor-blink">_</span>_

Hedgehog Security 28 February 2015 13 min read
data-breach anthem healthcare 78-million apt china health-records series
Breach #074

78.8 million health records. The largest healthcare breach in history.

On 4 February 2015, Anthem Inc. disclosed that it had been the victim of a cyberattack that compromised the personal information of approximately 78.8 million current and former members and employees — making it the largest healthcare data breach ever reported. The stolen data included names, dates of birth, Social Security numbers, medical ID numbers, addresses, email addresses, and employment information — everything needed for comprehensive identity theft.

The breach was attributed to a Chinese state-sponsored group known as Deep Panda (APT19), which had gained initial access through spear-phishing emails targeting Anthem employees. The attackers used stolen credentials to access the company's data warehouse and exfiltrated the records over several weeks. Anthem's CEO discovered the breach on 27 January 2015 after noticing a suspicious database query running under his own credentials — credentials that had been compromised without his knowledge. Anthem ultimately paid $115 million in the largest data breach class action settlement at the time.

Healthcare Under Attack
Recommended

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call

Why health data is the most valuable data on the dark web.

Healthcare records are more valuable on the dark web than credit card numbers — a stolen health record can sell for $50-$100 compared to $1-$5 for a credit card. The reason: health records contain the comprehensive personal information needed for long-term identity theft (Social Security numbers, dates of birth, addresses), medical fraud (filing false insurance claims), and cannot be easily changed (unlike a credit card number, you cannot get a new Social Security number or date of birth).

Healthcare Is a Prime APT Target
The Anthem breach — attributed to a Chinese state-sponsored group — demonstrated that healthcare organisations are targets for nation-state espionage, not just financial criminals. The stolen data could be used for intelligence gathering, identifying individuals for recruitment or blackmail, or building comprehensive profiles of US citizens. Our <a href="/blog/sector-under-the-microscope-healthcare">healthcare sector analysis</a> examines the full threat landscape.
Spear-Phishing — The Universal Entry Point
The Anthem breach began with phishing — the same entry vector behind <a href="/blog/anatomy-of-a-breach-rsa-securid">RSA</a>, <a href="/blog/anatomy-of-a-breach-target">Target</a>, <a href="/blog/anatomy-of-a-breach-jp-morgan-chase">JP Morgan</a>, and <a href="/blog/anatomy-of-a-breach-ebay">eBay</a>. Our <a href="/penetration-testing/social-engineering">social engineering assessments</a> test staff resilience to the emails that begin every major breach.
Data Warehouse Accessed Without MFA
The attackers used stolen credentials to access the data warehouse containing 78.8 million records. MFA on the data warehouse would have prevented the stolen credentials from being usable. <a href="/cyber-essentials">Cyber Essentials Danzell</a> mandates MFA — the control that keeps appearing as the absent defence in every major breach.
$115 Million Settlement
The class action settlement was the largest for a data breach at the time. Under GDPR (not yet in force), the penalty could have been 4% of global turnover. For UK healthcare organisations covered by our <a href="/blog/sector-under-the-microscope-healthcare">sector analysis</a>, the regulatory and litigation exposure from a breach of this scale would be existential.
Healthcare Security

The sector that holds the most valuable data with the greatest risk.

For UK healthcare organisations, the Anthem breach reinforces the lessons of our healthcare sector analysis: health data is uniquely valuable to attackers, healthcare infrastructure is uniquely vulnerable (legacy systems, flat networks, shared credentials), and the regulatory consequences of a breach are severe. Cyber Essentials certification establishes the baseline. Our penetration testing identifies the vulnerabilities before attackers do. SOC in a Box for Healthcare provides 24/7 monitoring. And UK Cyber Defence provides incident response when a breach occurs.

Healthcare Security

78.8 million health records. The largest healthcare breach in history. Is your health data protected?

Our <a href="/penetration-testing">penetration testing</a> and <a href="/cyber-essentials">Cyber Essentials certification</a> address the specific controls healthcare organisations need. <a href="https://www.socinabox.co.uk/sectors/gp-surgeries">SOC in a Box for Healthcare</a> monitors 24/7.

Commission a Healthcare Assessment Next: Premera Blue Cross
Next Step

Not sure where to start?

We'll scope your test for free and tell you exactly what you need. No obligation, no hard sell.

Free Scoping Call
Keep Reading

Related Articles

Anatomy of a Breach 31 March 2015

Anatomy of a Breach: Premera Blue Cross — 11 Million Records and the APT Campaign Against US Healthcare

Breach #075. In March 2015 — just weeks after the Anthem disclosure — Premera Blue Cross announced that attackers had gained access to its systems in May 2014 and stolen the personal and medical data of 11 million customers, including names, dates of birth, Social Security numbers, bank account information, and clinical information. The breach confirmed that the Anthem attack was not an isolated incident but part of a sustained campaign against the US healthcare sector.

data-breach premera
11 min read
Anatomy of a Breach 31 July 2018

Anatomy of a Breach: SingHealth — 1.5 Million Patients Including a Prime Minister Targeted by Nation-State Attackers

Breach #115. In July 2018, Singapore disclosed that its largest healthcare group — SingHealth — had been breached by a sophisticated threat actor, compromising the personal data of 1.5 million patients and the outpatient prescription data of 160,000 patients — including Prime Minister Lee Hsien Loong, who appeared to have been specifically targeted. The attack, attributed to a nation-state actor, exploited vulnerabilities in SingHealth's IT infrastructure over a period of months. The breach confirmed that healthcare systems worldwide are APT targets — not just for data theft but for intelligence on political leaders.

data-breach singhealth
12 min read
Anatomy of a Breach 31 May 2015

Anatomy of a Breach: US Office of Personnel Management — 21.5 Million Security Clearances Stolen by China

Breach #077. In June 2015, the US Office of Personnel Management disclosed two related breaches that compromised the records of 21.5 million current and former federal employees and contractors — including 5.6 million fingerprint records and detailed security clearance investigation files (SF-86 forms) containing information about finances, foreign contacts, mental health, drug use, and personal relationships. Attributed to Chinese state-sponsored hackers, the OPM breach was described as the most damaging theft of intelligence data in US history — a treasure trove for foreign intelligence services.

data-breach opm
14 min read
All Posts Get in Touch