Tenn. Blues Breach Affects 500,000
BlueCross and BlueShield of Tennessee has announced it has so far notified more than 157,000 members of the theft of identifiable data in early October that affected an estimated 500,000 members. The Chattanooga, Tenn.-based insurer announced the theft within days of its occurance. It started notifying members in early December as evidence that their information was on stolen files surfaced during an investigation that continues.
In October, 57 hard drives containing audio and video files were stolen from a leased facility that previously housed a call center and was in a transition stage with some employees still working at the facility. The files related to coordination of care and eligibility phone calls from providers and members. The video files were images from computer screens of customer service representatives and the audio files were recorded telephone conversations. The stolen material included an estimated 1.3 million audio files and 300,000 video files.
The files contained demographic information and BlueCross ID numbers. They also contained diagnostic information and Social Security numbers for many of the affected members. The files were encoded, which is a process of converting data by use of a code to make it unreadable, but not encrypted, which changes plain text into ciphertext, or characters, using algorithms and a key.
The plan hired New York security firm Kroll Inc. to review backup files and identify affected members, conduct forensic data matching to determine the data at risk for each member, and to assess BCBS of Tennessee's systemwide security. The plan "has taken several actions to strengthen these protocols," the company said in a Jan. 13 statement updating its progress. Among the changes is a requirement now that all data resides in properties that BCBS of Tennessee owns, according to a spokesperson.
The theft occurred on Oct. 2 and the plan learned about it on Oct. 5. Work to identify and match data began on Oct. 7. The plan and Kroll completed an audit of back-up files on Jan. 4 with analysis of the data continuing. Notification letters to affected members started on Dec. 7.
As of Jan. 7, the insurer has identified 220,000 members at highest risk and has notified more than 157,000. These members had their Social Security number among the data that was stolen. The plan remains in the process of identifying and notifying additional members at lower risk because their Social Security numbers were not among the data. Members whose Social Security number was on a stolen disk will be offered free credit monitoring and identity theft protection services; others will be offered the identify theft protection services.
To date, the insurer has found no evidence that any data has been accessed and used. More information is available at bcbst.com.