The cyberattack on health insurer Anthem Inc. unfolded in a way reminiscent of other operations by a Chinese hacking group, according to security technology provider CrowdStrike.
Adam Meyers, CrowdStrike's vice president of intelligence, said his team has "a medium to high degree of confidence" that the Anthem assault ties back to Deep Panda, one of about 30 hacking groups based in China that his company monitors.
"We've seen Deep Panda target healthcare before and they have in the past spoofed domains to look like healthcare providers," he said. "It would definitively make them the likeliest candidate for this kind of activity."
CrowdStrike isn't involved in Anthem's investigation into its recent breach. But it has seen Deep Panda intrude into the computer networks of companies from a broad set of industries across the world in a way that shows they are aligned with the passing interests of the Chinese government, Meyers said.
Two sources familiar with Anthem's investigation cautioned that it's too early to rule out other culprits.
Some cybersecurity experts have said that China, or any other hacker with similar motivations, uses stolen data to target particular individuals, such as spies or government contractors, in subsequent cyberattacks.
"Having a repository of where they live, their security clearances, their health information, you can find out what their weaknesses are," Meyers said.
A cyberattacker remained inside Anthem Inc. for a few weeks before an employee on Jan. 27 noticed suspicious use of his corporate account.
"It's rare and it's lucky," said Dan Berger, chief executive of Carpinteria-based Redspin, which specializes in healthcare data security. "Who knows how long it would have gone undetected?"
Many cyberattacks last three to six months before they are spotted, experts said. Also unlike this case, outside researchers usually find pilfered data on the Web before a company realizes that data have been stolen.
In the Anthem breach, the personal information, including Social Security numbers, of as many as 80 million customers and employees were moved out of the company's network.
How the cyberattacker was able to get into Anthem's system is unclear, but Berger said he would bet that an employee was duped by a fraudulent email — known as a spearphishing attack — into giving up a username and password for Anthem's systems.
"It just underscores the need for security awareness training for all employees," said Berger, whose information was among the compromised batch.
Anthem said no medical data about its customers were taken. That's surprising because once inside, a cyberattacker likely had close to free rein, said Ben Goodman, president of cybersecurity consulting firm 4A Security and Compliance.
A cyberattacker who apparently had all the needed logins for Anthem's databases could have accessed the detailed medical dossier, had he desired, whether the file was encrypted or not.
Electronic health records are valuable on the black market because fraudsters can use them to buy medications or even undergo procedures using someone else's name. Though less lucrative, the types of general customer data that were compromised in this case can be sold off or taken advantage of much faster.
Hackers in last year's breach of 4.5 million records at hospital operator Community Health Systems also didn't touch the electronic health records, Goodman said. Community Health said it was targeted by someone in China.
The scope of the Anthem attack still is more than enough to raise the bar for what the healthcare industry should consider reasonable care of data, experts said. Businesses in the financial and retail industries have boosted spending on cybersecurity following a string of high-profile breaches in the last two years. Now, it's likely that the healthcare industry will follow suit.
"What was considered reasonable is getting more rigorous with each attack in the news, every day," Goodman said.
Chat with me on Twitter @peard33