Alleged hackers accused of stealing 80 million customers’ records

Two men have been indicted over the 2015 Anthem data breach that saw 80 million customers’ personal details stolen.

The defendants, who are based in China, are accused of being part of a hacking group connected to the security breach at the health insurance company.

Names, dates of birth, and Social Security numbers were among the details stolen in the hack.

Anthem Inc was later fined $16 million by the Health Insurance Portability and Accountability Act (HIPAA), though it claims no wrongdoing. It also paid out $115 million to settle a class action lawsuit.

Fujie Wang, 32, a Chinese national, and another man identified as ‘John Doe’ were charged yesterday by the US Grand Jury in relation to the incident.

The indictment (PDF) alleges that Wang and the second defendant, who uses aliases including ‘Deniel Jack’ and ‘Kim Young’, were part of an “extremely sophisticated” hacking group targeting large businesses across the US.

Other victims also included a tech firm, a business based in the basic materials sector, and a communications firm, none of which were named.

The defendants are accused of launching a hacking campaign from February 18, 2014, until around January 31, 2015, gaining entry to the computer systems of Anthem Inc and the three further victims.

They are accused of gaining access via spear-phishing, malware, and other “sophisticated” attacks in order to access and steal personal and business data.

This data was then allegedly transferred to servers based in China.

Both Wang and his co-defendant have been charged on one count of conspiracy to commit fraud and related activity in connection with computers.

They have also been charged on one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.

Anthem Inc reported the breach to authorities in March 2015. It concluded that a single employee responded to a malicious email sent via a spear-phishing campaign, giving hackers access to company systems.

The Office for Civil Rights claims that Anthem Inc failed to identify or respond to security attacks and did not implement adequate minimum access controls.

Director Roger Severino said at the time: “Unfortunately, Anthem failed to implement appropriate measures for detecting hackers who had gained access to their system to harvest passwords and steal people's private information.”

Anthem Inc remains at the top spot for paying the biggest HIPAA fine to date.