Sqrrl Blog

Jul 22, 2015 8:30:00 AM

Cyber Incident Matrix: Anthem

Complexity Score: 4
Severity Score: 5
How did we get these numbers?

Incident Summary

  • What was breached: Anthem customer profile database

  • Delivery: April 2014 - February 2015

  • The Attackers:  No formal incrimination, Chinese government is suspected


On February 4th, 2015, Anthem Inc., formerly known as Wellpoint, announced that it had discovered a breach of its customer information database that resulted in the loss of 37.7 million records containing email addresses, home addresses, and Social Security numbers. After several weeks of forensic analysis, that number increased to 78.8 million affected records. While the formal FBI investigation has not concluded, it has been speculated that the Chinese government perpetrated the attack.

Sqrrl_Cyber_Incident_Matrix_Anthem-1 OPM Breach IRS Breach Anthem Breach

Complexity Score:

Plan Time

Indirect Attack

Cyber/Human Coordinated

Zero-Days Used

Time  Undetected

Advanced TTPs









The Anthem attackers orchestrated an advanced spear-phishing attack that targeted employees and encouraged them to access fraudlent version of web tools (VPN, HR, Citrix, etc.) connected to the domain “we11point.com,” mimicking Anthem’s former domain “wellpoint.com” changed in late 2014. After the employees were lured to the fake tools, attackers stored the credentials they obtained, using them to access real Anthem employee tools and move laterally through the system. It has been speculated that this same tactic was employed against Premera Blue Cross related to the domain “prennera.com.” The process of determining the tools Anthem had in place and replicating fake ones occurred over months, which paid off as the breach went undetected for almost a year’s time. Anthem discovered the intrusion on January 27th of this year, although by some estimates the intrusion occurred over 6 months earlier in April of 2014.

Severity Score:

Incident Costs

Physical Damage

Lives Lost

Nat. Sec. Impact







The volume of records exfiltrated (almost 80 million) in the Anthem breach brings the projected cost of remediation (at $154 per record) over 12 billion dollars. Additionally, Anthem provides medical insurance to federal government employees through its “Federal Blue Plan,” which covers more than 4 million federal employees according to the company. This information could be used abroad to blackmail federal employees or steal their identities and attempt to gain access to classified information.

Cybersecurity Analytics

Topics: Cybersecurity, Data Breach, Cyber Incident Matrix, Healthcare Breach