The hackers behind national insurer Anthem's massive 2014 cybersecurity breach that exposed 78.8 million patient records were likely working on behalf of a foreign government, an investigation by several state insurance commissioners concluded.
The California Department of Insurance, which launched the investigation into Anthem's cyberattack along with six other state insurance departments, also said that Anthem agreed to invest $260 million in improving its information security systems.
A report released Friday detailing the investigation's findings did not identify the hackers or the foreign government for which they worked. A spokeswoman for the California Insurance Department said federal officials requested the department not provide any information regarding what government was behind the breach because of an ongoing federal probe.
Other cybersecurity firms have previously said that they were able to peg the breach to China because the malware was so unique .
“In this case, our examination team concluded with a significant degree of confidence that the cyberattacker was acting on behalf of a foreign government,” California Insurance Commissioner Dave Jones said in a statement announcing the findings. “Insurers and regulators alone cannot stop foreign government-assisted cyberattacks."
The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyberattacks on insurers, much as the president did in response to Russian government-sponsored cyberhacking in our recent presidential election, Jones added, referring to Friday's intelligence report which found that the Russian government developed a "clear preference for President-elect Donald Trump" and aimed to undermine public faith in the U.S. democratic process, denigrate Democratic Party nominee Hillary Clinton and harm her electability and potential presidency.
The Anthem report stated that Crowdstrike, a cybersecurity firm hired to investigate the breach, found that “attacks associated with this foreign government have not resulted in (personally identifiable information) being transferred to non-state actors.”
Crowdstrike and Alvarez & Marsal Insurance and Risk Advisory Services, which also investigated the breach, did not immediately respond to requests for comment.
Anthem, the nation's second-largest insurer, announced the cyberattack in February 2015. Hackers infiltrated Anthem's information technology system a year earlier, gaining access to members' names, birth dates, Social Security numbers, home addresses and other personal information. The hackers gained access to Anthem's data warehouse and other Anthem computer systems when a user at one of Anthem's subsidiaries opened a phishing email containing malware, according to the California Insurance Department's report.
The breach landed Anthem in hot water and accentuated the importance of proactive cybersecurity strategies in all industries. Anthem members have filed a class action lawsuit alleging their identities have been stolen, leading to lower credit scores and fraudulent financial activity.
An Anthem spokeswoman said the insurer is working with the FBI and has found no evidence that the hackers shared or sold members' data, or evidence that fraud has occurred against individuals as a result of the breach.
“Anthem takes the security of its information and the personal information of consumers very seriously and is committed to protecting the data of its customers,” the spokeswoman said in a statement.
The insurer will also provide credit protection to consumers whose information was compromised, officials said.
Costs related to the cyberbreach could amount to millions of dollars, but no estimates or hard figures have been released. The Anthem spokeswoman said that the National Association of Insurance Commissioners, which reached an agreement with Anthem in December over the cyberattack, determined that no fine or penalty is warranted. The California Department of Insurance's announcement summarizes the National Association' recent findings.