The data breach at health insurer Anthem has certainly raised eyebrows across the US. They rose a lot more, however, once it was announced that the hacked database containing the personal information of 80 million people wasn’t encrypted.

What’s worse is that the organization isn’t legally required to encrypt that data.

The breach, which was announced last week, saw the theft of up to 80 million personal records in what the CEO called a “very sophisticated external cyberattack”, which loosely translates as “someone’s password was ‘password’”.

It has to be said, however, that even if the data was encrypted, it may still have been possible for the hackers to steal, decrypt, and sell that data.

So why aren’t they required to encrypt data?

The Health Insurance Portability and Accountability Act (HIPAA) states that health insurance companies such as Anthem are not required to encrypt the data stored on their servers.

Encryption is recommended if the health insurer believes it will mitigate risk, but ultimately the lack of requirements leaves it down to each organization to decide whether or not they encrypt data.

Anthem spokeswoman Kristin Binns told The Wall Street Journal that the company encrypts personal data when it’s moved in or out of the database but not when it’s stored, a practice she said is common in the industry.

“We use other measures, including elevated user credentials, to limit access to the data when it is residing in a database,” Binns added.

And we all know how well those “other measures” worked.

Encrypting a database that is constantly accessed isn’t necessarily an ideal solution. It makes it harder for that data to be accessed by legitimate users. That being said, if your alternative is to better protect how that database is accessed, then make sure that alternative is actually effective.

Subscribe below for more updates on the Anthem data breach.