BCBS of Tenn. Breach: Lessons LearnedExecutives offer timely HITECH advice
On Oct. 2, 2009, someone stole 57 unencrypted hard drives from servers at a call center the insurer had recently closed. So far, there have been no arrests, nor any evidence of fraud committed, the company reports.
But dealing with the aftermath of the breach has cost the insurer at least $7 million, executives acknowledge.
The incident is the largest reported so far on the HHS Office for Civil Rights' list of major breaches, which only tracks cases dating back to September 2009. That's when the HITECH Act's Breach Notification Rule kicked in.
Roy Vaughn, the insurer's director of corporate communications, encourages other organizations to keep one thing in mind as they prepare for breach notifications: "Life is 10 percent what happens to you and 90 percent how you respond to it."
Among the actions the Tennessee plan has taken and the lessons it has learned are:
- Adding a layer of physical security to protect servers is a prudent step.
- Encryption should be applied widely, including on servers.
- Appointing a chief security officer helps to ensure coordination of all security efforts.
- Organizations should carefully assess how long to store information.
- In preparing a breach notification plan, be sure to prepare a pre-selected list of vendors that can help with various tasks.
- Train customer service representatives to deal with breach-related questions from the public.
- Communicate frequent updates on breach investigations through the media and a Web site.
As of May 18, the insurer had completed its notification process for the October event, contacting nearly 1 million individuals in 45 states with the help of an outsourcer.
Although the HITECH Act Breach Notification Rule requires those affected by a major breach be notified within 60 days, the Tennessee plan worked closely with federal regulators, explaining why they needed more time for the notifications, says Tena Roberson, deputy general counsel and chief privacy officer.
The missing hard drives contained audio and video files related to coordination of care and insurance eligibility telephone calls from healthcare providers and members. The video files were images from the computer screens of customer service representatives. The tedious manual process of identifying all information on the files took months to complete, Roberson explains.
In the wake of the incident, the Blues plan hired a consulting firm to conduct an assessment of its facilities. As a result, "we made some changes to fortify some areas," Vaughn says.
"Any servers we have now have an additional layer of physical security that makes it very difficult for anyone to get to them."
Vaughn declined to reveal any details about the additional layer of security.
In addition to protecting servers with more physical security, the insurer is "looking at solutions for encrypting all data at rest," including information stored on servers, says Michael Lawley, information systems director. Encrypting all servers could take 12 to 24 months, he estimates.
The insurer already has encrypted all its laptops and is in the process of encrypting workstations, Lawley adds.
The HITECH Breach Notification Rule has a safe harbor that exempts organizations from reporting breaches of data encrypted in a specific way.
Appointing a CSO
The breach incident "caused us to take a different look at the structure of security within our organization," Vaughn acknowledges.
As a result, all security functions have been consolidated under a chief security officer, a new position. Previously, security functions were divided among several departments, including properties/facilities, information systems and compliance.
Meanwhile, privacy issues are handled through the legal and risk management departments.
Store for how long?
An important lesson from the breach incident, Lawley says, is: "Companies should be keenly aware of what data they need to keep and for what specific timeframe. For anything beyond that timeframe they should have a process to purge it."
The missing call center hard drives contained information from Jan. 1, 2007 through Oct. 2, 2009. The information was backed up at another location.
The information was mainly gathered from call center conversations "recorded for quality purposes," notes Roberson, the chief privacy officer. "So there are no retention requirements for us to keep it for a very long period of time. We probably kept it longer than what was prudent, in hindsight."
Pre-select vendor partners
BlueCross BlueShield had a breach notification plan in place long before the HITECH Breach Notification Rule was issued last September, Roberson says. But the plan, which had been updated for HITECH compliance, lacked one critical element: A list of pre-selected vendors that could lend a hand with specific tasks, such as mailing notification letters to enrollees, she notes.
"I wish we had researched vendors we needed beforehand," she stresses. "I wish we didn't have to rush to find credit line attorneys, security review specialists and other assistance that we needed."
The insurer says it was well-served by its strategy of setting up an e-mail address and a toll-free number for consumers to reach customer service staff members who were "steeped in the details" of the breach incident, Vaughn says.
That way, "members got personalized attention when they called in," he says.
The Tennessee plan posted frequent, detailed updates on the status of its auditing, remediation and notification efforts on its Web site.
The latest update was posted May 18.
Executives at the plan were surprised by the lack of inquiries from members. "They may be somewhat desensitized to data breaches," Vaughn says. "We were surprised at the relatively low number of calls we had."
The most passionate reactions, he adds, came from decision makers at employers who had recommended BlueCross BlueShield coverage. "They felt like their personal reputations were on the line, and rightfully so," Vaughn says.
The insurer pre-paid for credit monitoring services for roughly 240,000 members, "but only about 26,000 have signed up for the services," Roberson adds.