Anthem Health: 78 Million Patient Records and a Single Phishing Email
A single employee fell for a spear-phishing email, giving attackers access to Anthem's data warehouse containing 78 million unencrypted patient records — names, SSNs, income data, and employment information.
Background
Anthem Inc. was the second-largest health insurer in the United States, covering over 40 million people across its Blue Cross Blue Shield plans. Health data is among the most valuable on dark markets — worth 10x the price of financial records.
The Attack
Attackers — attributed to a Chinese state-sponsored group known as Deep Panda — sent a spear-phishing email to an Anthem employee. After gaining that initial foothold, they moved laterally to compromise the credentials of a database administrator with access to Anthem's data warehouse. They then ran automated queries extracting records for 78 million people. Crucially, Anthem's data warehouse stored all records unencrypted — a choice that amplified the breach immensely.
Response
Anthem discovered the breach when a sysadmin noticed a database query running under his credentials that he had not initiated. The company notified the FBI and hired forensic investigators. Anthem offered two years of free credit monitoring to all affected individuals. Congress held hearings on the security of health data.
Outcome
The Anthem breach remains the largest health data breach in US history. Anthem paid $115 million to settle a class action and $16 million to HHS for HIPAA violations. The attack prompted the healthcare industry to urgently reassess encryption practices for data at rest.
Key Takeaways
- Encrypting sensitive data at rest limits exposure even when databases are exfiltrated
- Privileged database accounts require dedicated monitoring and anomaly detection
- Health data is among the highest-value targets for nation-state intelligence gathering
- A single phishing click in a large enterprise can cascade to an enterprise-wide breach