Tenn. Blues Breach Affects 500,000

 

BlueCross and BlueShield of Tennessee has announced the theft of identifiable data that affects an estimated 500,000 members.

In October 2009, 57 hard drives containing audio and video files were stolen from a leased facility that previously housed a call center and was in a transition stage with some employees still working at the facility. The files related to coordination of care and eligibility phone calls from providers and members. The video files were images from computer screens of customer service representatives and the audio files were recorded telephone conversations. The stolen material included an estimated 1.3 million audio files and 300,000 video files.

The files contained demographic information and BlueCross ID numbers. They also contained diagnostic information and Social Security numbers for many of the affected members. The files were encoded, which is a process of converting data by use of a code to make it unreadable, but not encrypted, which changes plain text into ciphertext, or characters, using algorithms and a key.

The plan hired New York security firm Kroll Inc. to review backup files and identify affected members, conduct forensic data matching to determine the data at risk for each member, and to assess BCBS of Tennessee's systemwide security. The plan "has taken several actions to strengthen these protocols," the company said in a statement. Among the changes is a requirement now that all data resides in properties that BCBS of Tennessee owns, according to a spokesperson.

The theft occurred on October 2 and the plan learned about it on October 5. Work to identify and match data began on October 7. The plan and Kroll completed an audit of back-up files on Jan. 4, 2010, with analysis of the data continuing. Notification letters to affected members started on December 7.

As of Jan. 7, 2010, the Nashville, Tenn.-based insurer has identified 220,000 members at highest risk and has notified more than 157,000. These members had their Social Security number among the data that was stolen. The plan remains in the process of identifying and notifying additional members at lower risk because their Social Security numbers were not among the data. All affected members will receive free credit monitoring and identity theft protection services for one year, with enhanced services for those with compromised Social Security numbers.

To date, the insurer has found no evidence that any data has been accessed and used.

This story was reprinted with permission from Health Data Management.

For reprint and licensing requests for this article, click here.
Analytics Core systems Policy adminstration Data and information management Customer experience
MORE FROM DIGITAL INSURANCE