Anthem health insurance company HQ
Anthem health insurance had some 80 million customer records compromised in a cyberattack that was initially blamed on Chinese hackers. The company's Indianapolis headquarters is pictured here. Wikipedia (Photo Credit: Serge Melki)

Health insurance provider Anthem did not encrypt the personal information belonging to 80 million customers that was compromised in the massive hack discovered last week. Doing so would have better protected the second-largest U.S. health insurer’s customers, but also would have made it more difficult for the company to work effectively with that information on a daily basis, experts say.

A source told the Wall Street Journal that Anthem chose not to encrypt the data because doing so would prolong the time to share that information with health care providers and other partners. Yet the risk of not doing so has been made clear, with Anthem now on the defensive as FBI investigators pursue the theory that state-sponsored Chinese hackers infiltrated the company. Anthem has said there is as yet no any indication the stolen data is for sale on the black market.

“Not surprisingly, Anthem is trying to downplay this breach as much as it can,” said Neal O’Farrell, a security and identity theft expert from CreditSesame.com. “Anthem was also at pains to put out there’s no evidence the stolen information has been used in a fraud. The truth is Anthem has no idea.”

The Health Insurance Portability and Accountability Act, which regulates confidentiality and information sharing in the health care industry, does not require insurance companies to encrypt customer data. They must “address” data protection methods but are free to remain unencrypted if the practical difficulties are deemed too great.

While the Chinese government has denied any involvement in the attack, the breach comes only months after Beijing was blamed for stealing 4.5 million hospital records. “Medical records provide identity theft on a platter,” Bill Tanenebaum, a New York attorney with the firm Kaye Scholar, told IBTimes at the time.

"Another reason why patient health care (information) is stolen is because hackers resell insurance or medical profiles to allow third parties to get medical treatment and have someone else’s insurance or Medicare credentials pay for it," he said.