Anthem didn't encrypt the personal data of its customers prior to the massive hack it suffered last month, according to a report in the Wall Street Journal. Citing a person familiar with the matter, the Journal reports that encrypting the data would have made it more difficult for hackers to access, though it would have made it harder for the health insurance company to analyze and share the data with providers and states.
It was revealed this week that hackers stole millions of records on customers and employees at Anthem, the second-largest health insurer in the US. The hackers obtained the names, birthdays, addresses, and social security numbers, though there is no sign that they accessed any medical records. Authorities are investigating a possible link to a group based in China.
Federal law doesn't require insurers to encrypt customer data
An Anthem spokeswoman tells the Journal that the company, like other health insurers, only encrypts customer data when it's transferred in or out of its database, but uses "other measures, including elevated user credentials, to limit access to the data when it is residing in a database." She adds that the government and employers require insurers to use social security numbers as unique identifiers for their customers.
Federal law says health insurers must "address" data encryption in their security protocol, but it's not mandated. For some companies, it comes down to a choice between added security and extra cost, though it's not clear whether encryption alone could have thwarted the attack on Anthem, since it was carried out with stolen employee credentials. The issue isn't exclusive to the healthcare industry, either; Sony Pictures didn't encrypt its data prior to a major cyberattack late last year.
"We join you in your concern and frustration, and I assure you that we are working around the clock to do everything we can to further secure your data," Anthem CEO Joseph Swedish wrote in a letter published to the insurer's website this week.