A federal grand jury has indicted two members of “extremely sophisticated” hacking group operating from China in the 2014-2015 theft of the personal information of nearly 79 million customers of insurer Anthem Inc., the biggest known health care hack in U.S. history.
The Justice Department said the two also hacked three other U.S.-based companies it did not name, one in the technology sector, the others in basic materials and communications.
The indictment unsealed Thursday alleges Fujie Wang, a 32-year-old who goes by the Western name “Dennis,” and a man with three listed aliases identified as John Doe stole data including names, birthdates, Social Security numbers and medical IDs, first accessing Anthem’s network in May 2014.
Their access was not terminated until January 2015 after they were detected, the indictment says.
Indianapolis-based Anthem, the nation’s second-largest health insurer, agreed last October to pay the government a record $16 million to settle potential privacy violations.
Anthem said in a statement that it was “pleased” with the indictment and stressed that “there is no evidence that information obtained through the 2015 cyber-attack targeting Anthem has resulted in fraud.”
Alex Holden, founder and chief information security officer of the cybersecurity firm Hold Security, said there is no credible evidence any of the stolen data was ever put up for sale for use in identity theft. He said the Anthem data would be much more potent “on a state-sponsored level” for purposes of espionage than it would be in private hands.
The indictment did not say whether U.S. authorities have evidence the hackers were working for the Chinese state. U.S. officials blame state-backed Chinese hackers for rampant theft of Western intellectual property and trade secrets but did not lodge similar allegations in Thursday’s indictment.
A Justice Department spokeswoman had no comment when asked how confident it is that Wang will be brought to the U.S. for prosecution. The U.S. does not have an extradition treaty with China. The indictment says Wang lives in Shenzhen, China, and that Doe’s activities were China-based.
In a 2015 report, the cybersecurity firm Symantec said the Anthem hack was believed to be the work of a well-resourced Chinese group it called Black Vine that it said had been actively conducting cyberespionage for three years targeting industries including aerospace, energy and health care.
The indictment alleges that Doe and others in the hacking group used spear-phishing emails and other exploits to compromise the systems of the targeted companies. The two are charged with one count of conspiracy to commit fraud and related activity in relation to computers and identity theft, one count of conspiracy to commit wire fraud, and two counts of intentional damage to a protected computer.
When Anthem agreed to pay $16 million in a settlement with the Department of Health and Human Services, HHS said its investigation found that Anthem had failed to deploy adequate measures for countering hackers.
Bajak contributed to this report from Boston.