The 2015 Anthem data breach, one of the largest healthcare breaches in U.S. history, was initiated by a targeted phishing attack. An employee at one of Anthem's subsidiaries opened a malicious email, which led to the installation of malware on their system. This initial foothold allowed the attackers to move laterally within Anthem's network. Over several months, they escalated their privileges, eventually compromising the credentials of a database administrator. This high-level access enabled them to exfiltrate the Personally Identifiable Information (PII) of approximately 78.8 million individuals from a central data warehouse. The root cause was the successful social engineering of an employee, not an unpatched system or third-party vulnerability.

A. The compromise originated from a phishing email sent to an employee, not from an already compromised contractor system on the intranet.

B. The initial intrusion vector was credential theft via phishing, not the direct exploitation of a known, unpatched software vulnerability on a server.

C. The compromised credentials that enabled the data exfiltration belonged to an internal database administrator, not a third-party vendor.

1. California Department of Insurance. (2017). In the Matter of the Targeted Market Conduct Examination of Anthem

Inc.

File No. TCD-2015-01. Page 6

Paragraph 1 states

"The investigation revealed that the data breach was the result of a sophisticated cyberattack that began on February 18

2014

when an employee of an Anthem subsidiary opened a phishing email containing malicious content."

2. U.S. House of Representatives Committee on Oversight and Government Reform. (2015). The Anthem Data Breach: A Case Study. Staff Report. Page 2

"The Initial Intrusion

" details how the attack began with a spear-phishing email that tricked an employee into revealing their credentials

allowing malware to be installed.

3. Kruse

C. S.

Frederick

B.

Jacobson

T.

& Monticone

D. K. (2017). Cybersecurity in healthcare: A systematic review of modern threats and trends. Journal of Medical Systems

41(1)

1-10. In the "Discussion" section

the paper references the Anthem breach as a prime example of an attack initiated by phishing that led to the compromise of administrative credentials. (DOI: https://doi.org/10.1007/s10916-016-0629-8)