Comments Off

By Dissent, April 2, 2010

Almost six months after the theft of 57 hard drives from their Chattanooga facility, BlueCross BlueShield of Tennessee is still in  the process of notifying individuals of the breach, according to an update to the new Hampshire Attorney General’s Office dated March 31 (pdf).

Update: Note that as of this month, the number of individuals affected by or being notified about the breach has risen to 998,442.

Comments Off

By Dissent, December 4, 2009

Remember the BlueCross breach in Chattanooga from October. First it was 57 hard drives, then 68, then 3, then 1, depending on which report you read. Now it’s 57 again, it seems. Today, Blue Cross issued a breach notification on its web site, as required by the new HITECH Act:

Required Substitute HITECH Act Notice Regarding BlueCross Hard Drive Theft

Editor’s Note: BlueCross BlueShield of Tennessee has issued this press release as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”), Title XIII of Division A and Title IV of Division B of the American Recovery and Reinvestment Act of 2009 (Pub. L. 111-5) and its implementing regulations.

CHATTANOOGA, Tenn. — On Monday, Oct. 5, 2009 at 10 a.m., BlueCross BlueShield of Tennessee, Inc. employees discovered a theft of computer equipment at a network closet located in its former Eastgate Town Center office location in Chattanooga, Tenn. The theft occurred Friday, Oct. 2, 2009 at approximately 6:13 p.m. BlueCross has established that the items taken include 57 hard drives containing data that was encoded but not encrypted.

The hard drives were part of a system that recorded and stored audio and video recordings of coordination of care and eligibility telephone calls from providers and members to BlueCross’ former Eastgate call center located in Chattanooga. The hard drives that were stolen contained data that included protected health information data of some members of the health plan. This data included member names and identification numbers and, on some but not all recordings, a diagnosis/diagnosis code, date of birth and/or a Social Security number.

BlueCross immediately investigated the breach and strengthened the existing security measures at the Eastgate Town Center where space was being leased. BlueCross is obtaining an independent assessment of system-wide data and facility security.

BlueCross has placed information on its Web site www.bcbst.com to provide its members information about this theft. The information includes the link to the Federal Trade Commission Web site, www.ftc.gov, where members can find information on steps they can take to protect against identity theft. Members can contact the BlueCross Eastgate Response Customer Call Center at 1-888-422-2786 to find out more information.

The back-up data of the stolen hard drives were restored and an exhaustive inventory of all data included on the drives is being conducted by BlueCross and Kroll Inc., a global leader in data security. BlueCross is in the process of sending rolling written notification to members as soon as they are identified as being affected by the data theft. The notification letters, which will be mailed to current and former BlueCross members, will specify the particular call center number that members should call. For any members whose Social Security number is identified at risk, credit monitoring services will be provided free of charge – which also includes up to a million dollars in identity theft insurance.

BlueCross has also engaged the services of Kroll to carry out the member notifications and provide its Enhanced Identity Theft Consultation and Restoration Services. Kroll’s Licensed Investigators are available to answer any questions or identity theft concerns. In addition, in the unlikely event a member sustained identity theft as a result of this incident, BlueCross would also provide Identity Theft Restoration service through Kroll.

BlueCross has notified the Secretary of the Department of Health and Human Services and the State of Tennessee. BlueCross has also placed a notice with all three credit bureaus regarding this theft.

If a member receives a notification letter, the member will then be directed to call one of the numbers below:

• BlueCross Eastgate Response Customer Call Center

1-888-422-2786 / 1-866-779-0487

• Members whose Social Security number has been at risk

1-866-599-7347

• Privacy_Questions_GM@bcbst.com

For up-to-date information related to the Eastgate theft visit the BlueCross Web site at www.bcbst.com.

About BlueCross

BlueCross BlueShield of Tennessee is the state’s oldest and largest not-for-profit health plan, serving nearly 3 million Tennesseans. Founded in 1945, the Chattanooga-based company is focused on financing affordable health care coverage and providing peace of mind for all Tennesseans. BlueCross serves its members by delivering quality health care products, services and information. BlueCross BlueShield of Tennessee Inc. is an independent licensee of BlueCross BlueShield Association. For more information, visit the company’s Web site at www.bcbst.com.

Comments Off

By Dissent, October 6, 2009

Yet another Blue Cross Blue Shield breach in the news this week, although it’s not clear yet whether any PII or PHI are involved. Joe Legge reports:

Monday, Blue Cross Blue Shield workers noticed something missing here at their Eastgate offices.
Dozens of computer hard drives weren’t where they were supposed to be. 68 drives to be exact.

Authorities say a burglar alarm went off Friday… but Blue Cross didn’t report the possible theft until making a visual inspection days later. Sgt. Jerri Weary with the Chattanooga Police Department says “they could have been taken anytime during the weekend.”

[...]

A Blue Cross spokesperson says she doesn’t know if the missing drives contain private patient information.

Read more on WDEF news.

Update: Today’s TimeFreePress reports:

The hard drives contained some encoded data, including voice recordings of eligibility and coordination-of-benefit calls used for training purposes, said spokeswoman Mary Thompson in a statement.

“The retrieval of member data from these drives would require highly-specialized expertise and software,” according to the statement. “Therefore, at the present time, we have no reason to believe that member data has been accessed.”

Should the company discover members’ personal information has been compromised, employees will notify members as soon as possible, Ms. Thompson said. A team is working to determine what personal information, if any, has been accessed.