Editor's note: This article has been updated to include a statement from an Anthem spokesman
Federal prosecutors this week charged a Chinese national and an unnamed accomplice with stealing personal information on nearly 80 million Americans in the historic 2015 hack of health insurer Anthem's network.
The Chinese national, 32-year-old Fujie Wang, is a member of a sophisticated hacking group operating in China that targeted and gained entry to the computer systems of Anthem and three other unnamed U.S. businesses, according to an indictment unsealed on Thursday. The indictment was filed in the U.S. District Court in Indianapolis, where Anthem is based.
Wang and an accomplice identified as John Doe were indicted for conspiracy to commit fraud and related activity in connection with computers, conspiracy to commit wire fraud, and causing intentional damage to a protected computer.
Assistant Attorney General Brian Benczkowski of the Justice Department’s Criminal Division said the Anthem breach was "one of the worst data breaches in history," and said the indictment outlines the activities of a "brazen China-based computer hacking group."
In a statement, an Anthem spokesman said, "We are grateful for the support and partnership of the FBI and extended law enforcement team in investigating the sophisticated cyber attack that Anthem was a victim of in February 2015, and are pleased with the action taken today."
The spokesman also said there is no evidence that information obtained through the 2015 cyber attack targeting Anthem has resulted in fraud. "We are committed to safeguarding protected health information and personally identifiable information and adapting to the changing health care information security environment and will continue to collaborate with state and federal regulators and partners in this critical work," the spokesman said.
Investigators found network intrusions going back to February 2014. As part of an international computer hacking scheme, the attackers allegedly used "sophisticated techniques" to hack into the computer networks, according to the indictment. These techniques included the sending of specially-tailored “spearfishing” emails with embedded hyperlinks to employees of the victim businesses.
After a user accessed the hyperlink, a file was downloaded which, when executed, deployed malware that would compromise the user’s computer system by installing a tool known as a backdoor that would provide remote access to that computer system through a server controlled by the defendants, the indictment said.
"They sometimes patiently waited months before taking further action, eventually engaging in reconnaissance by searching the network for data of interest," including personally identifiable information (PII) and confidential business information, the indictment said.
The attackers accessed the computer network of Anthem for the purpose of conducting reconnaissance on Anthem’s enterprise data warehouse, a system that stores a large amount of PII, on multiple occasions in October and November 2014.
Wang and Doe allegedly identified and ultimately stole data concerning approximately 78.8 million persons from Anthem’s computer network, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, the indictment said. The attackers also collected files and other information from compromised computers at other victim businesses.
The Anthem data breach was a landmark cybersecurity event and the largest healthcare breach to date. As a result, Anthem paid a record-setting $16 million settlement to the Department of Health and Human Services (HHS) Office of Civil Rights.
OCR Director Roger Severino said at the time that the largest health data breach in U.S. history fully merits the largest HIPAA settlement in history. “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people’s private information," Severino said when the settlement was announced last October.
Anthem also agreed to a $115 million settlement to resolve class action lawsuits filed by victims of the breach.
The defendants allegedly attacked U.S. businesses operating in four distinct industry sectors, Benczkowski said.
Assistant Director Matt Gorham of the FBI’s Cyber Division said the case highlights the importance of FBI and private industry collaboration to mitigate and investigate cyberattacks, noting that victim companies promptly notified the FBI of malicious cyber activity which helped law enforcement to investigate and identify the perpetrators of this "large-scale, highly sophisticated scheme."
"It should also be noted that the speed with which Anthem initially notified the FBI of the intrusion on their networks was also a key factor in being able to determine who was responsible for the breach and should serve as an example to other organizations that might find themselves in a similar situation," Special Agent in Charge Grant Mendenhall said in a statement.
Wang and Doe are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.
According to the indictment, once the attackers identified and located data of interest, they collected the relevant files and other information from the compromised computers using software tools and placed it into encrypted archive files, sending it through multiple computers to destinations in China. On multiple occasions in January 2015, the attackers allegedly accessed Anthem’s enterprise data warehouse and transferred encrypted archive files containing PII from the data warehouse to China.
The attackers then deleted the encrypted archive files from the computer networks of the victim businesses, in an attempt to avoid detection, the indictment said.
The case was investigated by the FBI’s Indianapolis Field Office. Senior Counsel William Hall, Jr. of the Criminal Division’s computer crime and intellectual property section and Assistant U.S. Attorney and Deputy Chief of the General Crimes Unit Steven DeBrota of the Southern District of Indiana are prosecuting the case.
Significant assistance was provided by the Justice Department’s National Security Division and the Criminal Division’s Office of International Affairs, according to DOJ officials.