Tennessee Breach Case Grows to 1 Million

BCBS plan continues to notify members
Tennessee Breach Case Grows to 1 Million
BlueCross BlueShield of Tennessee has doubled to nearly 1 million its estimate of the number of current and former members whose personal information was on 57 stolen hard drives.

The investigation into the incident, dating back to October 2009, is continuing, so more members with data on the disks likely will be identified, says spokesman Mary Thompson. But she anticipates that the number of members added in the final report, coming soon, should be small.

"So far, there is no indication that the stolen data has resulted in any fraudulent activity," Thompson says. The Chattanooga Police and the FBI are continuing an investigation.

The insurer acknowledges that ongoing expenses for the case, estimated at more than $7 million as of February, are continuing to grow.

Largest incident

Even before the latest update, the case was the largest breach incident reported so far to federal authorities under the HITECH breach notification rule, which kicked in last September. Under the rule, organizations must report to the media and the Department of Health and Human Services breaches affecting more than 500.

On Oct. 2, 2009, some 57 unencrypted hard drives were stolen from servers in a leased facility in Chattanooga that formerly housed a call center for the insurer. The company was in the process of moving out of the facility, where several employees still worked.

The Blues plan had backup files of all the stolen data and has been working with Kroll Inc., a risk consulting firm, to review files and identify members whose personal information may be at risk. Personal information on some 998,422 current and former members was on the hard drives, the investigation has determined so far.


The Blues plan is notifying in three phases members and former members whose information may have been compromised. The timing of notifications is based on the amount of information about them that was on the hard drives. The tiers are:

  • Tier 3, including nearly 239,000 who had their name, Social Security Number, date of birth and address on the hard drives;

  • Tier 2, about 312,000 who had their name, address and/or date of birth and diagnostic information on the drives; and

  • Tier 1, about 448,000 who had their name, address and/or date of birth on the drives.

As of last week, all Tier 3 individuals and all Tier 2 households had been notified by mail. Now the insurer is notifying all the Tier 1 members.

The Blues plan is offering all affected subscribers and their family members a variety of free credit protection and identity theft protection measures, depending on how much information they have at risk.

Updates are available at the insurer's Web site.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.