Anthem 2015
An intelligence service walked out of the second-largest US health insurer with 78.8 million records — names, birthdays, addresses, Social Security numbers.
In February 2015, Anthem — at the time the second-largest health insurer in the United States — disclosed that an attacker had accessed a database containing the personal information of about 78.8 million current and former plan members, plus employees of customer organizations whose health plans Anthem administered.
A long phishing tail
The intrusion began with a spear-phishing email opened by an Anthem subsidiary employee in April 2014. From that foothold, the attackers spent roughly nine months moving laterally through the network, harvesting credentials, and eventually reaching a database identified internally only as the "data warehouse". The breach was not discovered until a database administrator noticed his own user account running queries he had not issued.
The stolen data was unusually rich. Health insurers maintain identifiers that follow individuals across employers and life events — Social Security numbers, dates of birth, employment history — the canonical scaffold for synthetic identity fraud. None of it appeared on criminal forums for sale in the years that followed, a silence US officials cited as evidence the operation was not financially motivated.
A nation-state attribution
The US government and outside researchers attributed Anthem to the same Chinese intelligence apparatus tied to the OPM breach disclosed months later. A 2019 federal indictment named two Chinese nationals; neither was extradited.
What the chronicle remembers
Anthem is the breach that broadened the public conception of espionage targets. The attackers were not interested in the company. They were interested in everyone the company knew — and in the United States, through health insurers, that subset is essentially the working population.