BCBS Notifying 520,000 about Breach

Tennessee plan had 57 hard drives stolen
BCBS Notifying 520,000 about Breach
BlueCross BlueShield of Tennessee has broadened its breach notification efforts to more than 520,000 of its current and former members in the wake of a computer hard drives theft last year.

The Blues plan is notifying in three phases members whose information may have been compromised. The timing of notifications is based on the amount of information about them that was on the hard drives, which were encoded but not encrypted. The Blues plan has almost 3 million members.

The 57 hard drives, which were on servers, were not encrypted because the information stored on them was for internal purposes only and not to be shared with anyone, says Mary Thompson, a spokesman for the insurer.

"BlueCross believes there is minimal risk to members' data being accessed due to the specialized nature of the hardware stolen and the difficulties associated with accessing the stored data," the insurer said in a statement on its Web site.

$7 million so far

Nevertheless, the insurer has spent more than $7 million so far dealing with the aftermath of the theft, Thompson confirms. "These expenses include auditing the back up files for the stolen data, reviewing and matching data to member information, engaging outside legal counsel and security services, and providing protection services to at-risk members," she adds.

As of Feb 5, more than 220,000 members had been notified about the breach, the insurer said. These members had their name, address, member ID number, diagnosis, Social Security number and/or date of birth on the stolen hard drives. Now, the insurer is extending notification to another 300,000 members who had less information on the drives.

So far, there have been no incidents of identity theft or credit fraud involving the insurer's members as a result of the incident, Thompson says. The Chattanooga Police and the FBI are continuing an investigation, she adds.

The Blues plan is offering all affected subscribers and their family members a variety of free credit protection and identity theft protection measures, depending on how much information they have at risk.

Call center incident

Oct. 2, 2009, the 57 hard drives were stolen from servers in a leased facility in Chattanooga that formerly housed a call center for the insurer. The insurer was in the process of moving out of the facility, where several employees still worked, Thompson explains.

The hard drives contained audio and video files related to coordination of care and eligibility telephone calls from health providers and members. The video files were images from computer screens of customer service representatives, and the audio files were recorded phone conversations from Jan. 1, 2007 to Oct. 2, 2009.

The Blues plan had backup files of all the stolen data and has been working with Kroll Inc., a risk consulting firm, since October to review files and identify members whose personal information may be at risk.

The insurer said it expects to complete all notifications by the end of the first quarter. "Due to the amount and types of the data involved, it is taking significant time to review each recording," the insurer noted in a background statement on its Web site.

Notification timing

The Blues plan immediately notified the U.S. Department of Health and Human Services about the breach to comply with the HITECH Act, Thompson says.

It notified brokers and group administrators Oct. 6; it began sending letters to members and former members Nov. 23, she adds.

The letters were delayed, Thompson says, because of the time it took to analyze the data, retrieve member ID information and organize the mailing.

Lessons learned

The insurer hired Kroll to conduct an independent assessment of its system-wide security and has already initiated some changes, Thompson says.

For example, all information will now be housed in buildings that the company owns, rather than leased facilities, she notes.

"We have reviewed and reinforced physical security measures at all company-owned and leased properties by adding additional video camera surveillance, reviewing our biometric and key card access readers, and increasing our security personnel presence," she adds.

Updates are available at www.bcbst.com.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.