No encryption standard raises healthcare privacy questions

Insurers aren't required to encrypt consumers' data under a 1990s federal law that remains the foundation for health care privacy in the Internet age — an omission that seems striking in light of the major cyberattack against Anthem. Encryption uses mathematical formulas to scramble data, converting sensitive details coveted by intruders into gibberish. Anthem, the second-largest U.S. health insurer, has said the data stolen from a company database that stored information on 80 million people was not encrypted. The main federal health privacy law — the Health Insurance Portability and Accountability Act, or HIPAA — encourages encryption, but doesn't require it.