Another 301,628 current and former members of BlueCross BlueShield of Tennessee soon will be getting letters alerting them that their personal information was included on computer hard drives stolen from the insurance company last year.
The Chattanooga-based health insurer announced today that the number of affected customers with potentially compromised identification and health information has more than doubled from the 220,133 persons already notified about the identity threat.
BlueCross Communications Director Roy Vaughn said company subscribers and family members whose names and records could be included on the hard drives should receive a letter in mid February. The company is offering free credit and ID remediation to anyone worried about potential identity theft, he said.
"The number of affected persons is greater than we previously forecast, but we have decided to notify any affected subscriber and all of the members related to that subscriber," Mr. Vaughn said. "We're trying to do the right thing."
The notifications are the latest in the increasingly expensive fallout from the theft last October of 57 computer hard drives from an abandoned BlueCross training center at the Eastgate Center. BlueCross already has spent more than $7 million to identify the scope of what was taken and to notify those affected, officials said. The company is likely to spend millions of dollars more, experts estimate.
BlueCross still is accessing records of those whose names and addresses -- but not Social Security numbers and other sensitive identity data -- may be on the hard drives. Mr. Vaughn said even more people are likely to be contacted.
Chattanooga police and the Federal Bureau of Investigation still are probing the computer theft. But so far, no one has been charged with any crime and BlueCross officials say there is no evidence that anyone has improperly accessed or used the data on the hard drives.
The theft came as BlueCross was relocating its customer service staff from its leased offices at the Eastgate Center in September to the company's $300 million corporate campus atop Cameron Hill. Computer hard drives containing tapes and records of customer records remained at Eastgate after the offices largely were abandoned.
The hard drives were scheduled to be sent back to their vendor last fall, but they were stolen on a Friday night. The crime was reported to police the next Monday afternoon.
"The company seems to be bending over backwards to alert anyone whose records may be involved and authorities in the states where the affected people live," said Deven McGraw, a privacy advocate with Center for Democracy and Technology. "It's costing them a huge amount of money. They could have avoided this if they would have spent just a little bit more on the front end to better secure these hard drives or use data encryption to protect the records."
Encrypted data, Ms. McGraw said, requires a key for any user to unlock and read the information.
"It's like a foreign language you can't understand," she said.
BlueCross has alerted the attorneys general in most states about the theft of the computer hard drives and what the company is doing to help those who might be affected.
Sharon Curtis-Flair, director of communications for the Tennessee Attorney General's office, said state authorities "are in contact with Blue Cross and are monitoring the situation." No regulatory action has been taken against the Chattanooga company.