Skip to main content
Data Breaches

Encryption Not Required of Health Insurance Companies

Written by Jamie White for NortonLifeLock

Encryption is the gold standard of cyber safety. Basically, encryption uses a mathematical operation to scramble data, making it useless to thieves. The information is decrypted by using an electronic key, or multiple keys. You use encryption every time you utilize a website that begins with https. Those sites are protecting your passwords, credit card numbers and other sensitive data as it passes from your device to the company's servers.

It's also possible to encrypt information that's sitting idle, stored in electronic files. That way, no unauthorized person can rifle through the files. As a consumer, you'd like to think that any company that has your sensitive information, including Social Security number, would employ every technology available to protect you.

So how was the personal information of up to 80 million Americans stolen in the Anthem data breach? The company has admitted that its files were not encrypted. Other health insurance companies have been understandably mum on the topic. If they, too, are unencrypted they want to keep that information to themselves.

But the fact is — health insurance companies are not required by the federal government to encrypt data.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996, which requires you to approve the release of medical information, does not require insurers to encrypt the info. The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 encourages, but does not require encryption.

The Anthem breach may be the catalyst for change. Less than a month after the breach was revealed, the Senate Health, Education, Labor and Pensions committee announced a bipartisan initiative to make data more secure.

In a statement released when the initiative was announced, committee Chairman Lamar Alexander (R-Tenn.) said, Patients, hospitals, insurers — and all Americans who value the safety and privacy of their sensitive personal information — have a right to be alarmed by reports that their electronic records might be vulnerable to a cyber attack."

Staff meetings have already begun with participants from government, the health industry and cyber security experts. The talks are going beyond protecting personal information like Social Security numbers, and are also delving into the nightmarish field of protecting network-connected medical devices, like pacemakers, from tampering.

Anything that Congress requires is expected to be met with resistance from insurers and other health care companies, which have complained in the past about added costs. But the sheer size of the Anthem breach could tip the balance, making it cheaper for companies to pay for security than to clean up the mess caused by a hack.

Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.

Start your protection,
enroll in minutes.