Anthem Inc. data breach

On 4 February 2015, Anthem Inc. — at the time the second-largest U.S. health insurer — publicly disclosed that attackers had stolen personal information on 78.8 million current and former members. It was, at the time, the largest healthcare-sector breach in U.S. history, and the most-cited example of Chinese state cyber-collection against U.S. personal-records-rich infrastructure during the 2014–2018 campaign that also targeted OPM, Marriott/Starwood, and Equifax.

What happened

The intrusion began with spearphishing of an IT administrator at an Anthem subsidiary in April 2014. The stolen credentials gave the attackers entry to Anthem's corporate network, where they spent months establishing persistence, mapping the environment, and ultimately gaining access to the enterprise data warehouse that consolidated member data across Anthem's regional plans.

Beginning around 10 December 2014, the operators ran bulk queries against the data warehouse, extracting member records in chunks. The query pattern was sufficiently unusual that an Anthem database administrator noticed on 27 January 2015 that queries were running under their own credentials when they were not actively logged in — and reported the activity. Anthem disclosed the breach publicly eight days later.

The exfiltrated data included names, dates of birth, Social Security numbers, addresses, email addresses, employment information, and income data for roughly 78.8 million people. Crucially, no medical records or financial payment data were in the affected database — but the breadth of PII was sufficient for identity-theft, social-engineering, and (per the U.S. government attribution) counter-intelligence purposes.

Impact

• 78.8 million people had PII exposed.
• $115 million class action settlement in 2017 — the largest U.S. data-breach class settlement at the time.
• $16 million HHS Office for Civil Rights HIPAA settlement in 2018 — the largest HIPAA penalty in U.S. history.
• $39.5 million multi-state attorneys general settlement in 2020.
• Total disclosed cost: ~$260 million before insurance.

Attribution

Mandiant and Symantec independently attributed the operation to Chinese state actors within weeks of disclosure. The actor cluster — named Black Vine by Symantec and overlapping with Deep Panda in CrowdStrike's taxonomy — has been linked to multiple U.S. healthcare and aerospace intrusions including:

• Anthem (2015) — 78.8M records
• Premera Blue Cross (2014, disclosed 2015) — 11M records
• CareFirst BlueCross BlueShield (2014, disclosed 2015) — 1.1M records
• VAE Inc. (defence contractor)
• United Airlines (2015)

In May 2019, the U.S. DOJ unsealed an indictment naming Fujie Wang and an unnamed co-conspirator for the Anthem intrusion specifically, along with three other corporate breaches between 2014 and 2015. The indictment alleged that the attackers worked from China; Wang has not been arrested or extradited.

The intelligence-collection thesis — that this was a Chinese state effort to build personal dossiers on U.S. persons via healthcare, government, hotel, and credit-bureau records — has hardened over time as the same actor cluster's pattern of targeting has accumulated.

Why it matters

Anthem is part of the "big four" Chinese collection campaign — Anthem (healthcare), OPM (government clearance), Marriott / Starwood (travel), and Equifax (credit history). Together these four datasets describe a comprehensive U.S. population: where they have lived, where they have travelled, who they work for, what their financial history looks like, and what their medical conditions are.

The strategic value of the combined dataset for foreign-intelligence targeting is the central security policy lesson. No U.S. policy intervention since has been able to recover the stolen data, and the strategic disadvantage is permanent.

The Anthem case also catalysed:

• HIPAA enforcement expansion by the HHS Office for Civil Rights, with significantly higher per-violation penalty ceilings and more aggressive investigations.
• Tighter state attorney general activity on healthcare breaches, with multi-state coordinated settlements becoming the norm rather than the exception.
• Healthcare sector adoption of MFA and segmentation for administrative and warehouse-query infrastructure, where previously these had been considered internal trust zones.