Chinese national indicted in connection with Anthem’s massive data breach

A federal grand jury in Indianapolis has indicted a Chinese national in connection with the massive computer hacking of health insurer Anthem Inc. in 2015 that compromised the private information of 78.8 million customers and former customers.

The U.S. Justice Department said Thursday afternoon that Chinese resident Fujie Wang, 32, and other members of a hacking group broke into the computer networks of Anthem and three other U.S. businesses and installed malware to thwart the systems and steal private information. The other hacked companies were not identified.

Wang and another defendant, identified only as John Doe, were charged with one count of conspiracy to commit fraud and related activity in relation to computers and identify theft, one count of conspiracy to commit wire fraud, and two substantive counts of intentional damage to a protected computer.

The FBI has issued a "wanted" poster for Wang, who is believed to live in Shenzhen, China. It isn't clear whether prosecutors would be able to bring him to the United States for trial if he is apprehended. The U.S. Attorney's Office for the Southern District of Indiana declined to comment.

Prosecutors say the defendants used “extremely sophisticated techniques” to hack into Anthem’s computers and steal confidential business information and patient records. That included sending specially tailored “spearfishing” emails with embedded hyperlinks to employees. After a user accessed the hyperlink, a file was downloaded that, when executed, deployed malware that compromised the user’s computer system by installing a tool known as a back door that gave the defendants remote access to the system.

The hackers were able to steal the private data of tens of millions of Anthem customers, including names, health identification numbers, dates of birth, Social Security numbers, addresses, telephone numbers, email addresses, employment information and income data, according to the indictment.

“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” Assistant Attorney General Brian A. Benczkowski of the Justice Department’s criminal division said in a statement.

Prosecutors said Anthem’s cooperation and openness in working with the FBI “was imperative in allowing for the identification” of the defendants.

Anthem reported the computer breach in early 2015, a disclosure that touched off more than 100 class action lawsuits against the insurer, accusing it of inadequate data security. The cases were consolidated into a suit in California. A federal judge approved a $115 million settlement between Anthem and the plaintiffs in 2017. The settlement was the largest to date in a U.S. data-breach case.

“The cyber attack of Anthem not only caused harm to Anthem, but also impacted tens of millions of Americans,” U.S. Attorney Josh Minkler  said in a statement. “This wanton violation of privacy will not stand, and we are committed to bringing those responsible to justice.”

The Indianapolis-based insurer said Thursday it was grateful for the work of FBI and other law enforcement agencies.

“Anthem takes the security of its data and the personal information of consumers very seriously,” the company said in a statement. “We are committed to safeguarding Protected Health Information and Personally Identifiable Information, and adapting to the changing health care information security environment and will continue to collaborate with state and federal regulators and partners in this critical work. There is no evidence that information obtained through the 2015 cyberattack targeting Anthem has resulted in fraud.”

The indictment said that after hacking into computers, defendants sometimes waited patiently for months before taking action, eventually engaging in reconnaissance by searching the network for data of interest.

The defendants stole data by placing it into encrypted archive files and then sending it through multiple computers to destinations in China, prosecutors said.

The indictment alleges that on multiple occasions in January 2015, the defendants accessed Anthem’s computer network and its enterprise data warehouse and transferred encrypted files containing their personally identifiable information from Anthem’s data warehouse to China.

Finally, the indictment said, the defendants then encrypted archive files from the computer networks in an attempt to avoid detection.

Wang controlled two domain names connected to the criminal activity, according to prosecutors.

The case was investigated by the FBI’s Indianapolis field office, with the help of the Justice Department’s National Security Division and Criminal Division’s Office of International Affairs.

Please enable JavaScript to view this content.

Story Continues Below

Editor's note: IBJ is now using a new comment system. Your Disqus account will no longer work on the IBJ site. Instead, you can leave a comment on stories by signing in to your IBJ account. If you have not registered, please sign up for a free account now. Past comments are not currently showing up on stories, but they will be added in the coming weeks. Please note our updated comment policy that will govern how comments are moderated.