Many pundits have faulted Anthem for not encrypting their database, pinning that as the key vulnerability in the breach that exposed 80M identities. The Wall Street Journal paraphrases these pundits in a pithy headline "Health Insurer Anthem Didn’t Encrypt Data in Theft"
Not so fast. Encrypting the data in the database would only thwart the casual hacker who was tilting at the database naively. Any hacker with a modicum of sophistication would get the credentials of a legitimate insider and access the database from the front end via the decryption engine. As was the case in the Anthem Breach.
Anthem officials became aware of the breach when one of their senior administrators noticed someone was using his identity to request information from the database. The request — or query — by the hackers appears so far to have been for financial information only. Anthem officials say that medical information in insurance claims shared with doctors and hospitals — like whether a customer was treated for substance abuse, for example — does not appear to have been taken in the attack.
“We’re positive that the rogue query did not have medical data in it,” said Thomas Miller, Anthem’s chief information officer. The people who gained access to the database “consciously selected what they selected.”
Encryption is useful when your data is in a hostile environment. But encryption cannot protect against someone who has the decryption key. Or as in this case, the hacker pretending to be an insider who has legitimate access to the decryption key.