Anthem Hack: Could The Insurer Have Prevented It?
by Matt O'Brien, San Jose Mercury News
The data of up to 80 million people that hackers stole from health care insurer Anthem’s database was not encrypted, sparking questions about whether the company had properly protected the information.
“Because an administrator’s account was compromised, no amount of encryption would have prevented this attack,” said Darrel Ng, a spokesman for Anthem Blue Cross in California, after the company began warning the public Wednesday about the breach.
That might be of little consolation to consumers fretting about hackers who now have access to their Social Security and medical identification numbers, names, birthdates, street addresses, email addresses and employment information, including income data. But most security experts agree there’s no single technological solution to stopping this from happening again.
“We’ve seen so many large breaches, whether it’s Target or Sony and now Anthem, and a lot of times there are calls for encryption,” said Steve Bellovin, a computer science professor at Columbia University. “Encryption is a valuable tool. Sometimes it’s going to help a lot. Other times it’s a lot harder than it sounds.”
Others say encrypting personal data could have helped.
“They claim it’s the expense. Really, there’s no excuse,” said Beth Givens, founder and director of San Diego-based Privacy Rights Clearinghouse. “Encryption is a not a 100 percent solution but it makes that data far less desirable for fraudsters. They don’t want to take the time and effort to decode it.”