On Thursday, the Justice Department charged a Chinese hacking group with carrying out one of the largest criminal hacks in United States health care history that resulted in 79 million people having their personal information stolen.
In the four-count indictment cited by the Justice Department, officials allege Wang Fujie, 32, and another man referred to only as John Doe intruded US computer systems, including Anthem, a health insurance giant, and three other businesses between February 2014 and January 2015.
“The defendants used sophisticated techniques to hack into the computer networks of the victim businesses without authorization,” and “then installed malware and tools on the compromised computer systems to further compromise the computer networks of the victim businesses.”
First reported in February of 2015, the Anthem breach exposed sensitive personal information for as many as 80 million Americans. According to the indictment, the hackers began with spearfishing emails that embedded hyperlinks to the targeted businesses. Once the target clicked on the hyperlink, a file would start to download that deployed the malware, installing a backdoor that provided the hackers access to the computer system. They then stole personal information from subscribers like names, dates of birth, addresses, telephone numbers, email addresses, employment, and income data, but also more sensitive pieces of information like health identification and social security numbers.
The alleged hackers were detected by authorities in January 2015 after officials likely traced them through domains registered for use in the attack as well as the virtual private systems used to steal data. These virtual private systems were paid for using Alipay, which may have led Justice Department officials to Wang.
“The allegations in the indictment unsealed today outline the activities of a brazen China-based computer hacking group that committed one of the worst data breaches in history,” Assistant Attorney General Brian Benczkowski said.
In October 2018, Anthem paid the US government $16 million as a result of the privacy violations.
“The cyber attack of Anthem not only caused harm to Anthem, but also impacted tens of millions of Americans,” said US attorney Josh Minkler. “This wanton violation of privacy will not stand, and we are committed to bringing those responsible to justice.” The indictment also calls for the defendants to forfeit any property obtained or used as part of the hacking campaign.