Anthem data breach: health insurer failed to encrypt data that was stolen in industry’s biggest-ever hack

Your support helps us to tell the story

Support Now

Find out moreClose

As your White House correspondent, I ask the tough questions and seek the answers that matter.

Your support enables me to be in the room, pressing for transparency and accountability. Without your contributions, we wouldn't have the resources to challenge those in power.

Your donation makes it possible for us to keep doing this important work, keeping you informed every step of the way to the November election

Andrew Feinberg

White House Correspondent

The information that was stolen from Anthem in the biggest health-insurance cyber-attack ever last month was left unencrypted on the company’s servers, according to reports.

The data stolen related to the records of millions of customers and employees, Anthem said this week. While the hackers don’t seem to have had access to health records, the information stolen included names, birthdays, social security numbers, addresses and employment information, all of which could be used for fraud.

Failing to encrypt the information means that hackers will be able to look through the information much more easily. But because encrypting and then removing encryption from files is a slow process, it would have made it harder for the company to share the information with the various groups that it works with.

Anthem encrypts the information when it’s moved into or out of its database, but not when it is there, it told the Wall Street Journal, who reported the lack of encryption. Instead it uses other methods, “including elevated user credentials, to limit access to the data when it is residing in a database”, a spokesperson told the WSJ.

In a letter announcing the hack, the company said that it is “working around the clock to do everything we can to further secure your data”, CEO Joseph R Swedish wrote.

While encrypting the data would probably not have stopped the hackers from gaining access to the information — which was done using stolen employee logins — it would have made using it much harder.