BCBS Notifying 520,000 about Breach
Tennessee plan had 57 hard drives stolen
The Blues plan is notifying in three phases members whose information may have been compromised. The timing of notifications is based on the amount of information about them that was on the hard drives, which were encoded but not encrypted. The Blues plan has almost 3 million members.
The 57 hard drives, which were on servers, were not encrypted because the information stored on them was for internal purposes only and not to be shared with anyone, says Mary Thompson, a spokesman for the insurer.
"BlueCross believes there is minimal risk to members' data being accessed due to the specialized nature of the hardware stolen and the difficulties associated with accessing the stored data," the insurer said in a statement on its Web site.
$7 million so far
Nevertheless, the insurer has spent more than $7 million so far dealing with the aftermath of the theft, Thompson confirms. "These expenses include auditing the back up files for the stolen data, reviewing and matching data to member information, engaging outside legal counsel and security services, and providing protection services to at-risk members," she adds.
As of Feb 5, more than 220,000 members had been notified about the breach, the insurer said. These members had their name, address, member ID number, diagnosis, Social Security number and/or date of birth on the stolen hard drives. Now, the insurer is extending notification to another 300,000 members who had less information on the drives.
So far, there have been no incidents of identity theft or credit fraud involving the insurer's members as a result of the incident, Thompson says. The Chattanooga Police and the FBI are continuing an investigation, she adds.
The Blues plan is offering all affected subscribers and their family members a variety of free credit protection and identity theft protection measures, depending on how much information they have at risk.
Call center incident
Oct. 2, 2009, the 57 hard drives were stolen from servers in a leased facility in Chattanooga that formerly housed a call center for the insurer. The insurer was in the process of moving out of the facility, where several employees still worked, Thompson explains.
The hard drives contained audio and video files related to coordination of care and eligibility telephone calls from health providers and members. The video files were images from computer screens of customer service representatives, and the audio files were recorded phone conversations from Jan. 1, 2007 to Oct. 2, 2009.
The Blues plan had backup files of all the stolen data and has been working with Kroll Inc., a risk consulting firm, since October to review files and identify members whose personal information may be at risk.
The insurer said it expects to complete all notifications by the end of the first quarter. "Due to the amount and types of the data involved, it is taking significant time to review each recording," the insurer noted in a background statement on its Web site.
Notification timing
The Blues plan immediately notified the U.S. Department of Health and Human Services about the breach to comply with the HITECH Act, Thompson says.
It notified brokers and group administrators Oct. 6; it began sending letters to members and former members Nov. 23, she adds.
The letters were delayed, Thompson says, because of the time it took to analyze the data, retrieve member ID information and organize the mailing.
Lessons learned
The insurer hired Kroll to conduct an independent assessment of its system-wide security and has already initiated some changes, Thompson says.
For example, all information will now be housed in buildings that the company owns, rather than leased facilities, she notes.
"We have reviewed and reinforced physical security measures at all company-owned and leased properties by adding additional video camera surveillance, reviewing our biometric and key card access readers, and increasing our security personnel presence," she adds.
Updates are available at www.bcbst.com.