Anthem Data Wasn’t Encrypted, But It Might Not Have Mattered

Since the Anthem attackers reportedly used an administrator password, encryption probably wouldn’t have made a difference.

Anthem Data Wasn’t Encrypted, But It Might Not Have Mattered
Getty Images / Aaron P. Bernstein

Health insurer Anthem says its compromised database of customer information wasn’t encrypted.

The Anthem attack is thought to have compromised identifying information — including names, addresses, employment data and social security numbers — for as many as 80 million Anthem employees and customers. (Video via Anthem)

Anthem executive Thomas Miller told The New York Times the insurer “had doubled its investment in this area over the last four years and was actively considering encrypting its internal database as well as taking other steps to improve its security.”

But it hadn’t locked down the database yet: in part because it’s not required by law to do so.

The Health Insurance Portability and Accountability Act, or HIPAA, recommends — but does not require — insurers encrypt their data if they think it will cut down on the risk of theft.

Anthem was trying to balance protection and usability, one insider told The Wall Street Journal.

“Scrambling the data could have made it less valuable to hackers or harder to access in bulk. It also would have made it harder for Anthem employees to track health care trends or share data with states and health providers.”

But there’s some evidence encryption wouldn’t have helped protect anything. Anthem officials say whoever hacked into their database used a stolen administrator password.

This means as far as the computer was concerned, it was legitimate access and there was no need for extra security.

Now, of course, Anthem says it’s working to patch that fault in its security process. The insurer says it will also contact current and former customers with instructions for enrolling in credit and identity protection services.

This video includes images from Getty Images.