(Bloomberg) -- Investigators of Anthem Inc.’s data breach arepursuing evidence that points to Chinese state-sponsored hackerswho are stealing personal information from health-care companiesfor purposes other than pure profit, according to three peoplefamiliar with the probe.

The breach, which exposed Social Security numbers and othersensitive details of 80 million customers, is one of the biggestthefts of medical-related customer data in U.S. history.

The attack appears to follow a pattern of thefts of medical databy foreigners seeking a pathway into the personal lives andcomputers of a select group -- defense contractors, governmentworkers and others, according to a U.S. government officialfamiliar with a more than year-long investigation into the evidenceof a broader campaign.

The Anthem theft follows breaches of companies including TargetCorp., Home Depot Inc. and JPMorgan Chase & Co. that havetouched the private data of hundreds of millions of Americans andincreased pressure on the U.S. government to respond moreforcefully. Though President Barack Obama promised action againstNorth Korea after the destruction of property at Sony PicturesEntertainment, corporations and the government have struggled tocome up with appropriate responses to attacks that fall into a grayarea between espionage and crime.

‘Phishing’ Attacks

Technical details of the attack include “fingerprints” of anation-state, according to two people familiar with theinvestigation, who said China is the early suspect.

The Federal Bureau of Investigation is leading theinvestigation, according to Anthem, which has hired FireEye Inc., aMilpitas, California-based security company, to assist.

China has said in the past that it doesn’t conduct espionagethrough hacking. The Chinese embassy in Washington didn’timmediately respond to a request for comment.

Hackers could use stolen information -- which Anthem said in itscase included birthdates and e-mail addresses -- to conduct“phishing” attacks on customers who unwittingly provide access totheir companies’ networks. Government officials have beeninvestigating whether foreign interests are using personal,financial or medical information as leverage to gain intelligencefrom people who want their information to stay private, accordingto the U.S. official.

Adviser Hacked

Michael Daniel, President Obama’s chief adviser oncybersecurity, is an an Anthem customer who would be resetting hispassword, he said in a Bloomberg Web seminar early Thursday.

Among those insured by Anthem have been employees of NorthropGrumman Corporation, according to the insurer’s website, while thecompany has processed claims for workers at The Boeing Company inMissouri. Boeing has about 15,000 workers in Missouri, where thecompany’s defense unit is based. Those and other defensecontractors could be of interest to foreign intelligenceorganizations.

Anthem spokeswoman Kristin Binns declined to comment.

John Dern, a spokesman for Boeing, and Mark Root, a spokesmanfor Northrop Grumman, didn’t immediately comment. Jenny Shearer, aspokeswoman for the FBI, declined to comment.

Building Profiles

In the past year, Chinese-sponsored hackers have takenprescription drug and health records and other information thatcould be used to create profiles of possible spy targets, accordingto Adam Meyers, vice president of intelligence at Crowdstrike, anIrvine, Califorinia-based cybersecurity firm. He declined to nameany of the companies affected.

“This goes well beyond trying to access health-care records,”Meyers said. “If you have a rich database of proclivities, healthconcerns and other personal information, it looks, from a Chineseintelligence perspective, as a way to augment humancollection.”

That doesn’t mean that personal information wouldn’t make itsway to criminals, he cautioned, pointing to the possibility ofmoonlighting by hackers who work by day for China.

A different major U.S. health insurer was breached recently byChinese hackers, according to a person involved in thatinvestigation, who asked not to be identified because the matter isconfidential. In that case, investigators concluded that the goalof the hack was to obtain information on the employees of a defensecontractor that makes advanced avionics and other weaponry, saidthe person, who declined to identify the insurer.

The hackers first hijacked a translation website that theinsurer’s customer representatives used when dealing with foreignclients, using it to implant malware on the company’s computers,the person said.

Hard Targets

“A lot of these healthcare companies have a lot of very trustedrelationships at the network level and the corporate level to somevery hard targets on the federal side and the commercial side,”said Orion Hindawi, co-founder and chief technology officer forTanium Inc., a Berkeley, California-based security firm that isused by banks, healthcare and other companies.

“The healthcare environment is in an unfortunate position: Itdidn’t expect to be a high, heavy target five years ago, so theydidn’t prepare,” Hindawi said. “They didn’t expect to have advancedthreats from nation-state actors targeting them.”

Deep Panda

At Anthem, officials detected the theft of the trove of customerinformation as it was being sent from its computers on Jan. 29,according to one of the people.

Meyers said the breach fits the pattern of a hacking unit thatCrowdstrike calls Deep Panda, which over the last several monthshas targeted both defense contractors and the health care industry.China appears to be putting together huge databases of individualswho might be intelligence targets, he said. Another example was thetheft last year from a government agency of data on tens ofthousands of employees who had applied for top-secret clearances,he said.

The Anthem investigation is young, several people involvedcautioned, saying the final determination of the hackers’ identitycould ultimately change. The estimated number of customers whosedata was stolen could also turn out to be lower, one of the peoplesaid.

U.S. intelligence officials have been increasingly concernedthat repeated attacks on medical and pharmaceutical firms are atleast in part efforts to obtain personal information for espionagepurposes.

Two officials, who spoke on condition of anonymity to discussclassified efforts to pursue the attackers, said a number of theattacks came from the People’s Liberation Army’s Unit 61398. Fivemembers of that Shanghai-based hacking unit were indicted byfederal prosecutors last year.

Dual-Purpose Hack

A different and more sophisticated group attacked Anthem, basedon initial indications, two people familiar with the investigationsaid.

Like many other Chinese hacking campaigns, the attacks appear toserve multiple purposes -- one commercial and the other related tonational security -- said one of the U.S. officials. The attacks,this official and a former intelligence officer said, can test afirm’s ability to protect intellectual property and financialinformation, while simultaneously stealing prescription records,medical treatment histories and other personal information thatcould be used to blackmail individuals to reveal national securityand trade secrets.

The attacks apply new technology to some of the oldest espionagetrade craft in the world, the former official added.

--With assistance from Julie Johnsson in Chicago and RichardClough in New York.

Copyright 2018 Bloomberg. All rightsreserved. This material may not be published, broadcast, rewritten,or redistributed.