Anthem didn't encrypt consumer data
- Anthem has sparked debate after revealing that it stored the Social Security numbers of its customers without encryption, in an apparent attempt to balance the concerns of protecting the data while still being able to utilize it.
- Experts told the Wall Street Journal that scrambling the data could certainly have made it less accessible and valuable to hackers. However, "it also would have made it harder for Anthem employees to track healthcare trends or share data with states and health providers."
- Anthem's decision on how to balance risk vs. accessibility proved catastrophic last week when it became the victim of the largest data breach ever disclosed in the healthcare industry.
Employers and government agencies "require us to maintain a member's Social Security number in our systems so that their systems can uniquely identify their members," Anthem spokeswoman Kristin Binns told the Wall Street Journal. She says Anthem encrypts its customers' personal data when it is transferred in or out of their database, but not while it's being stored, which "is common in the industry."
The question is whether this strategy will be treated as an acceptable industry standard by consumers. The debate is sure to reverberate throughout the health insurance industry and to have watchdogs asking tough questions that companies will have to answer. Insurers particularly will be re-evaluating the risk/benefit analysis of their current security strategy in light of the Anthem breach.
- The Wall Street Journal Health Insurer Anthem Didn’t Encrypt Data in Theft