Between February 2014 and January 2015, the Chinese state-sponsored threat group known as Deep Panda conducted a sustained intrusion into Anthem Inc., the second-largest health insurer in the United States. Using targeted spear-phishing emails and the Sakula remote access trojan, the attackers maintained persistent access for approximately 11 months, exfiltrating the personal data of 78.8 million current and former members and employees.
Key Facts
- WhatChinese state-sponsored hackers breached Anthem over an 11-month intrusion.
- Who78.8 million current and former Anthem members and employees.
- Data ExposedSocial Security numbers, medical IDs, income data, and personal details.
- OutcomeRecord $16M HIPAA settlement and $115M class action settlement.
What Was Exposed
- Social Security numbers for 78.8 million current and former Anthem members and employees
- Medical identification numbers linked to insurance coverage records
- Full names, dates of birth, and home addresses
- Email addresses and employment information including income data
- Health plan enrollment data including plan type, coverage dates, and member identifiers
- Employee records including job titles, departments, and hiring dates for Anthem staff
While Anthem emphasized that no medical records or claims data were stolen, the exposed dataset was profoundly sensitive. Social Security numbers paired with health plan identifiers, dates of birth, and income data constitute a comprehensive identity profile.
The medical ID numbers, in particular, enable medical identity fraud-a category of identity theft where stolen health credentials are used to obtain medical care, prescription drugs, or fraudulent insurance reimbursements under the victim’s identity. Medical identity fraud is notoriously difficult to detect and remediate because it corrupts medical records with another person’s health information, potentially leading to dangerous treatment errors.
The Attack: Deep Panda and Sakula Malware
The intrusion began in February 2014 when at least one Anthem employee, working in a subsidiary, clicked on a link in a spear-phishing email. The phishing message was carefully crafted to appear as a legitimate internal communication, and the embedded link directed the victim’s browser to a domain controlled by the attackers, which delivered the Sakula remote access trojan.
Sakula provided the attackers with persistent remote access to the compromised workstation, including keylogging, screen capture, and the ability to execute arbitrary commands. From this initial foothold, the attackers harvested the employee’s credentials and used them to move laterally through Anthem’s network.
Over the following months, they escalated privileges, eventually obtaining access to the credentials of a database administrator with access to Anthem’s enterprise data warehouse. This warehouse contained the centralized personal information of all Anthem members across its various health plan brands, including Blue Cross Blue Shield of California, Anthem Blue Cross Blue Shield, and Empire Blue Cross Blue Shield.
The attackers ran queries against this warehouse to extract member data, packaging it into compressed archives for exfiltration. The data was transmitted to external servers through encrypted channels.
The intrusion remained undetected for approximately 11 months. It was discovered on January 27, 2015, when a database administrator noticed that a query was running under his credentials that he had not initiated.
The administrator reported the anomaly to Anthem’s internal security team, which triggered an investigation that revealed the full scope of the compromise. Anthem publicly disclosed the breach on February 4, 2015.
Attribution and Criminal Indictment
The attribution to Chinese state-sponsored actors was made by multiple cybersecurity firms based on the Sakula malware family, the command-and-control infrastructure, and the operational patterns of the intrusion. The Sakula RAT had been previously linked to Chinese intelligence operations targeting defense contractors, aerospace companies, and technology firms.
In 2019, the U.S. Department of Justice indicted Fujie Wang and an unnamed co-conspirator, both Chinese nationals, for their roles in the Anthem breach and related intrusions into other U.S. companies. The indictment detailed how the hackers used the same infrastructure and techniques across multiple targets, confirming the campaign’s state-sponsored nature.
Regulatory Analysis
The Anthem breach triggered enforcement actions under multiple federal and state frameworks, with the HIPAA enforcement action establishing the most significant precedent for healthcare data security in the United States.
HIPAA Privacy Rule: The Privacy Rule establishes national standards for the protection of individually identifiable health information, known as protected health information (PHI). While Anthem argued that the stolen data did not include medical records or claims data, HHS took the position that the combination of health plan identifiers, member IDs, and enrollment information constituted PHI under the broad HIPAA definition.
HIPAA Security Rule - Risk Analysis Failures: The HHS Office for Civil Rights (OCR) investigation focused on Anthem’s compliance with the HIPAA Security Rule, which requires covered entities to implement administrative, physical, and technical safeguards for electronic PHI.
OCR’s findings identified several critical deficiencies:
- Anthem failed to conduct an enterprise-wide risk analysis sufficient to identify all risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI
- The risk analysis that Anthem had performed was incomplete, failing to cover all systems and applications that created, received, maintained, or transmitted ePHI
- Anthem lacked sufficient controls for information system activity review, meaning it did not have adequate mechanisms to monitor and detect unauthorized access to its systems
- The 11-month dwell time was cited as evidence of inadequate monitoring
- Anthem had insufficient technical policies and procedures for access controls, specifically failing to implement adequate controls to restrict access to ePHI to authorized persons and software programs
Record HIPAA Settlement: In October 2018, Anthem agreed to pay $16 million to settle the HIPAA violations-the largest HIPAA settlement in history at that time. The settlement also required Anthem to undertake a comprehensive corrective action plan including an enterprise-wide risk analysis, risk management plan, policies and procedures review, and enhanced employee security training. Anthem was subject to two years of monitoring by HHS.
State Attorneys General: In addition to the federal HIPAA enforcement, Anthem settled with attorneys general from all 50 states.
The class action settlement totaled $115 million. Individual states pursued enforcement under their own consumer protection and breach notification statutes.
The multi-state action demonstrated that healthcare breaches of this magnitude face a compounding enforcement landscape where federal HIPAA penalties are supplemented by state-level actions, creating a cumulative financial impact far exceeding any single enforcement action.
What Should Have Been Done
Enterprise-Wide Risk Analysis: The cornerstone of HIPAA Security Rule compliance is a comprehensive risk analysis covering all systems that touch ePHI. Anthem’s incomplete risk analysis failed to identify the vulnerability of its enterprise data warehouse to the type of credential-based attack that Deep Panda executed. Healthcare organizations must ensure their risk analyses are truly comprehensive, covering not only clinical systems but also administrative databases, data warehouses, and any system that aggregates or centralizes member information.
Advanced Threat Detection: The 11-month dwell time indicates that Anthem’s security monitoring capabilities were insufficient to detect a sophisticated but not invisible intrusion. The attackers ran large database queries, compressed data, and exfiltrated it over encrypted channels-activities that generate detectable anomalies with proper monitoring.
User and entity behavior analytics (UEBA) would have flagged the unusual database queries running under the administrator’s credentials. Network anomaly detection would have identified the unusual volumes of encrypted outbound traffic. Security information and event management (SIEM) correlation rules could have linked the phishing event to subsequent lateral movement and privilege escalation.
Multi-Factor Authentication: The attackers were able to access critical database systems using stolen credentials alone. Multi-factor authentication for all access to systems containing PHI would have significantly impeded the attackers’ lateral movement. Even after compromising an employee’s password through the initial phishing attack, the attackers would have been unable to authenticate to database systems without a second factor.
Database Activity Monitoring: The queries used to extract 78.8 million records from the enterprise data warehouse should have triggered immediate alerts. Database activity monitoring systems can detect anomalous query patterns, unusual data volumes, and access from unexpected sources. For a database containing the personal information of nearly 80 million individuals, real-time monitoring of all query activity is not optional-it is essential.
Data Encryption at Rest: While Anthem encrypted data in transit, the database records were not encrypted at rest. Had the data warehouse employed encryption with properly managed keys, the stolen data would have been significantly more difficult for the attackers to use.
Encryption at rest is explicitly recommended by the HIPAA Security Rule as an addressable implementation specification, and for a dataset of this sensitivity and scale, the decision not to encrypt was indefensible.
Anti-Phishing Controls: The initial compromise vector was a spear-phishing email. Advanced email security gateways, URL sandboxing, and employee phishing simulation programs reduce the probability of a successful initial compromise. While no anti-phishing control is perfect, defense-in-depth approaches significantly reduce the likelihood that a single phishing email will lead to a catastrophic breach.
The Anthem breach demonstrated that nation-state threat actors view healthcare data as a high-value intelligence target, and that the U.S. healthcare sector’s compliance-oriented approach to security was insufficient against advanced persistent threats. The $16 million HIPAA settlement and $115 million class action established that healthcare organizations face severe financial consequences for security failures, even when the attackers are state-sponsored.
For every organization holding health data, the Anthem case is proof that compliance checklists are not a substitute for genuine security capabilities.