New report: In Anthem breach, foreign hackers took advantage of common security gaps

Investigators believe perpetrators of the 2015 Anthem hack that exposed personal records of more than 78 million people may have been acting on behalf of a foreign government, exploiting weaknesses in the insurer’s system that are commonplace within the industry.

Investigators determined the identity of the hacker with “high confidence,” and concluded with “medium confidence” that the attacker was working on behalf of a foreign government, according to a report (PDF) from the California Department of Insurance. Although the report did not identify the attacker, officials have previously linked the attack to a Chinese cyberespionage group called Black Vine that sought information on how other countries handle medical care.  

California Insurance Commissioner Dave Jones called on the federal government to help insurers facing cyberattacks from foreign governments.

“Insurers and regulators alone cannot stop foreign government assisted cyberattacks,” Jones said in an announcement. “The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyberattacks on insurers, much as the president did in response to Russian government sponsored cyber hacking in our recent presidential election.”

Although the report found Anthem took “reasonable measures” to protect patient information prior to the breach, the attacker targeted specific weaknesses within the system. On Feb. 18, 2014, an employee within an Anthem subsidiary opened a phishing email, allowing the attacker to gain remote access to the computer and then move laterally across at least 50 accounts and 90 systems, including the insurer’s enterprise data warehouse where the bulk of the information was stolen.

Investigators noted that “these deficiencies were not, in our experience, uncommon to companies comparable to Anthem in size and scope,” adding that Anthem has since implemented two-factor authentication on all remote access devices and invested in additional monitoring capabilities. Investigators added that Anthem’s cybersecurity team responded immediately once it discovered the breach, informing law enforcement and cutting off access to the attacker within three days.

Investigators added that new controls implemented since the breach was discovered should improve how Anthem detects and respond to any future attacks.

“Anthem takes the security of its information and the personal information of consumers very seriously and is committed to protecting the data of its customers," Anthem spokesman Daniel Ng said in an emailed statement to the Associated Press.

Cyberattacks against healthcare companies have evolved since the Anthem breach, as providers and insurers have seen an increase in ransomware attacks. Cyberattacks against the healthcare industry continued throughout 2016, prompting Department of Health and Human Services' Office of the Inspector General to investigate how providers are protecting patient information.