Tennessee Breach Case Grows to 1 Million
BCBS plan continues to notify membersThe investigation into the incident, dating back to October 2009, is continuing, so more members with data on the disks likely will be identified, says spokesman Mary Thompson. But she anticipates that the number of members added in the final report, coming soon, should be small.
"So far, there is no indication that the stolen data has resulted in any fraudulent activity," Thompson says. The Chattanooga Police and the FBI are continuing an investigation.
The insurer acknowledges that ongoing expenses for the case, estimated at more than $7 million as of February, are continuing to grow.
Largest incident
Even before the latest update, the case was the largest breach incident reported so far to federal authorities under the HITECH breach notification rule, which kicked in last September. Under the rule, organizations must report to the media and the Department of Health and Human Services breaches affecting more than 500.
On Oct. 2, 2009, some 57 unencrypted hard drives were stolen from servers in a leased facility in Chattanooga that formerly housed a call center for the insurer. The company was in the process of moving out of the facility, where several employees still worked.
The Blues plan had backup files of all the stolen data and has been working with Kroll Inc., a risk consulting firm, to review files and identify members whose personal information may be at risk. Personal information on some 998,422 current and former members was on the hard drives, the investigation has determined so far.
Notifications
The Blues plan is notifying in three phases members and former members whose information may have been compromised. The timing of notifications is based on the amount of information about them that was on the hard drives. The tiers are:
- Tier 3, including nearly 239,000 who had their name, Social Security Number, date of birth and address on the hard drives;
- Tier 2, about 312,000 who had their name, address and/or date of birth and diagnostic information on the drives; and
- Tier 1, about 448,000 who had their name, address and/or date of birth on the drives.
As of last week, all Tier 3 individuals and all Tier 2 households had been notified by mail. Now the insurer is notifying all the Tier 1 members.
The Blues plan is offering all affected subscribers and their family members a variety of free credit protection and identity theft protection measures, depending on how much information they have at risk.
Updates are available at the insurer's Web site.