After what must have been an enormous amount of political pressure, the federal Health Insurance Portability and Accountability Act (HIPAA) made a decision that health insurance companies are not required to encrypt the data stored on their servers. The HIPAA ruling recommends using encryption if the health insurer believes it’s an appropriate measure to mitigate risk. But lacking a specific requirement essentially leaves it up to each company to decide how to protect its data.
Initially, our system developers were horrified by the implication. A bit of reasoning settled people down a bit.