Anthem's computer experts, and private contractors the company has hired to investigate the hack, are convinced the breach of their systems came from China, according to government and private sector people involved in the investigation.
FBI investigators aren't ready to make that conclusion, according to U.S. law enforcement and other government officials briefed on the probe.
Neither is Anthem.
"It's premature. Nothing confirmed," said Kristin Binns, a company spokeswoman.
The hack was uncovered when a computer systems employee stumbled on the hack in progress, according to a U.S. official briefed on the investigation. A systems operator conducting routine monitoring of Anthem's databases noticed a massive movement of data in the company's systems. Looking further, the employee discovered that his own computer credentials were being used to carry out the operation. His credentials had been stolen.
It's a common tactic of hackers to steal the computer credentials of computer systems employees who have free rein of the databases they're trying to break into.
The investigation has turned up Chinese IP addresses and other signs that point to Chinese involvement.
However, it's common for hackers to route attacks through multiple countries and mask IP addresses in these attacks as a way to hide their trail. Computer servers in the U.S. also were used.
Law enforcement cyber experts say a hack like that against Anthem (ANTM) isn't the type that officials typically see from China. Stealing personal data on Americans is typically the trade of Russian, eastern European and criminal western hacking groups that specialized on selling private data on the black market for profit. Chinese hackers tend to target trade, economic, and national security secrets that could help the Chinese economy.
For example, last year Chinese hacker spies were caught breaking into nuclear power plants, steel manufacturers and a solar energy company.
Anthem's investigators believe they have an explanation for the unusual Chinese hack, according to people briefed on the company's investigation. The hackers were targeting the company's proprietary and intellectual secrets for managing health care systems. Chinese health care is undergoing its own crisis in recent years and the hackers were looking for the data to learn how a large American health care company manages its health delivery systems.
Cybersecurity firms that aren't working on this case caution that it's far too early to definitely say the Chinese government is behind this attack. Typically, the forensic investigation of a data breach takes weeks or months to even find out exactly how it occurred. And few ever discovered who did it.
However, one security firm, CrowdStrike, pointed out that it would fit the profile of a hacking group believed to be Chinese government spies.
The "Deep Panda" operation, as researchers deemed it, is seeking to amass a large collection of Americans' personal information.
The purpose? To find citizens willing to spy for the Chinese and identify potential U.S. spies operating in China, said Dmitri Alperovitch, CrowdStrike's cofounder. That's why Chinese hackers broke into U.S. federal employee network last year. They also broke at least three hospital chains and two insurance providers the public hasn't yet heard about, Alperovitch said.
--CNN's Jose Pagliery contributed reporting from New York.