The Anthem hack was first discovered in January 2015 and left an estimated 78.8 million consumer records exposed. A team of investigators led by seven state insurance commissioners across the country, including California’s Dave Jones, were tasked with conducting a nationwide examination of the breach. Information security firm Mandiant was also hired by Anthem to conduct its own internal investigation into the cyber attack.

Click here to subscribe to Brainstorm Health Daily, our brand new newsletter about health innovations.

The investigators concluded that the hack actually began all that way back in February 2014, when just one user at an Anthem subsidiary opened a phishing email that then gave the hacker access to Anthem’s data warehouse. And the incident is likely to have been an intentional international attack.

“In this case, our examination team concluded with a significant degree of confidence that the cyber attacker was acting on behalf of a foreign government,” said Jones in a statement.

Jones added that Anthem has invested some $260 million into improving its IT infrastructure and beefing up its cybersecurity apparatus. But there’s only so much private companies can do on their own, and retaliatory measures along the lines of President Obama’s recent sanctions against Russia for hacking aimed at swaying the 2016 presidential election in Donald Trump’s favor may be in order.

“Insurers and regulators alone cannot stop foreign government assisted cyber attacks,” said Jones. “The United States government needs to take steps to prevent and hold foreign governments and other foreign actors accountable for cyber attacks on insurers, much as the President did in response to Russian government sponsored cyber hacking in our recent presidential election.”

While the report did not name the purported hacker or the foreign government in question, there has been speculation that many recent health care data breaches were launched in China.