Related Links

Web Seminars

BlueCross and BlueShield of Tennessee in mid-January announced it had so far notified more than 157,000 members of the theft of identifiable data in early October that affected an estimated 500,000 members. The Chattanooga, Tenn.-based insurer announced the theft within days of its occurrence. It started notifying members in early December as evidence that their information was on stolen files surfaced during an investigation that continues.

In October, 57 hard drives containing 1.3 million audio and 300,000 video files were stolen from a leased facility that previously housed a call center and was in a transition stage with some employees still working at the facility. The files related to coordination of care and eligibility phone calls from providers and members. The video files were images from computer screens of customer service representatives and the audio files were recorded telephone conversations.

The files contained demographic information and BlueCross ID numbers. They also contained diagnostic information and Social Security numbers for many of the affected members. The files were encoded, which is a process of converting data by use of a code to make it unreadable, but not encrypted, which changes plain text into ciphertext, or characters, using algorithms and a key. The plan hired New York security firm Kroll Inc. to review backup files and identify affected members, conduct forensic data matching to determine the data at risk for each member, and assess BCBS of Tennessee's systemwide security. The plan "has taken several actions to strengthen these protocols," the company said in a statement. Among the changes is a requirement that all data resides in properties that the plan owns, according to a spokesperson.

The theft occurred on Oct. 2, and the plan learned about it on Oct. 5. Work to identify and match data began on Oct. 7. The plan and Kroll completed an audit of back-up files on Jan. 4 with analysis of the data continuing. Notification letters to affected members started on Dec. 7.

By the first week of January, the insurer had identified 220,000 members at highest risk and had notified more than 157,000. These members had their Social Security numbers among the data that was stolen. The plan remains in the process of identifying and notifying additional members at lower risk because their Social Security numbers were not among the data. All affected members will receive free credit monitoring and identity theft protection services for one year, with enhanced services for those with compromised Social Security numbers. To date, the insurer has found no evidence that any data has been accessed and used.