The California Office of the Attorney General disclosed a data breach at **Anthem, Inc.**, stemming from a **physical break-in at a third-party vendor’s office on August 3, 2021**. The incident was reported on **October 28, 2021**, exposing **personal information**, including **names and healthcare identifiers** of an **undisclosed number of individuals**. While the breach originated from a physical intrusion rather than a direct cyber attack on Anthem’s systems, the compromised data belonged to individuals associated with the company, indicating a **leak of sensitive personal and healthcare-related information**. The delay in detection and reporting (nearly **three months**) raises concerns about vendor security protocols and the potential for **misuse of stolen identifiers**, such as medical identity theft or fraud. Although the full scope of the exposure remains unclear, the involvement of **healthcare data**—a high-value target for cybercriminals—elevates the risk of downstream financial or reputational harm for affected individuals and the organization. The breach underscores vulnerabilities in **third-party risk management**, particularly when physical security lapses intersect with data protection obligations under regulations like **HIPAA** (Health Insurance Portability and Accountability Act).
Source: https://oag.ca.gov/ecrime/databreach/reports/sb24-546965
TPRM report: https://www.rankiteo.com/company/antheminc
"id": "ant014091825",
"linkid": "antheminc",
"type": "Breach",
"date": "8/2021",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Unknown',
'industry': 'Healthcare',
'location': 'United States (California)',
'name': 'Anthem, Inc.',
'type': 'Healthcare Insurance Provider'},
{'name': 'Unnamed Vendor',
'type': 'Third-Party Vendor'}],
'attack_vector': 'Physical Break-In (Vendor Office)',
'data_breach': {'number_of_records_exposed': 'Unknown',
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (PII/PHI)',
'type_of_data_compromised': ['Personal Information',
'Healthcare Identifiers']},
'date_publicly_disclosed': '2021-10-28',
'description': 'The California Office of the Attorney General reported that '
'Anthem, Inc. experienced a data breach involving a physical '
"break-in at a vendor's office that occurred on August 3, "
'2021. The breach was reported on October 28, 2021, and '
'potentially impacted personal information, including names '
'and healthcare identifiers, though the number of individuals '
'affected is unknown.',
'impact': {'data_compromised': ['Names', 'Healthcare Identifiers'],
'identity_theft_risk': 'Potential'},
'initial_access_broker': {'entry_point': 'Physical Break-In (Vendor Office)'},
'references': [{'source': 'California Office of the Attorney General'}],
'regulatory_compliance': {'regulatory_notifications': 'California Office of '
'the Attorney General'},
'response': {'communication_strategy': 'Public Disclosure via California '
'Office of the Attorney General'},
'title': 'Anthem, Inc. Data Breach via Vendor Office Break-In',
'type': 'Data Breach (Physical Intrusion)'}