Just calling BlueCross BlueShield of Tennessee for claim or policy information could have exposed 220,000 customers to a breach of their most-sensitive data, company officials said Wednesday.
The breach goes back to an October 2009 theft of 57 hard drives from a closet at the insurer's former Chattanooga call center at Eastgate Town Center.
Though BlueCross has identified 90 percent of the customers who may have had their Social Security numbers and other personal data disclosed, in all about 500,000 customers who phoned the call center between January 2007 and October 2009 may have had some piece of their personal information released, company spokeswoman Mary Thompson said.
"I want to emphasize that, to date, there is no evidence that the data has been accessed," she said. "This is a very cumbersome and complex process that we have committed our full resources to."
Roughly 110,000 company hours have been expended trying to figure out who was exposed, she said. Of the already identified customers, 157,000 have been notified by mail of the potential exposure, Ms. Thompson said.
Even though she has not received a letter, the knowledge that her data could have been breached is unnerving to Knoxville resident and BlueCross customer Gail Dowling.
"Your hope is that whoever took these hard drives doesn't know what they have, but they might, and that's very scary," Mrs. Dowling said. "It's a large burden on the individual to undo (any credit harm) that someone may have done in just five minutes."
The next step for BlueCross is to determine customers who had just their names, birthdates and diagnostic information exposed, Ms. Thompson said. The third step involves identifying everyone who had only their names, addresses and birthdates exposed.
Anyone outside BlueCross trying to access the video and audio recordings on the hard drives would find it difficult because they're encoded, meaning they are designed to be accessed only through programs BlueCross employees use to assist customers and medical providers with call-in concerns.
The data was saved to the hard drives to provide training for future customer service employees, Ms. Thompson said.
To mitigate any harm, BlueCross is offering customers a year's worth of credit monitoring from two credit-watch providers that offer $1 million insurance coverage for identity theft, Ms. Thompson said.
Minors who may have been exposed are able to use a third service, she said.
FOR MORE INFORMATIONFor more information on the data breach and to view bi-weekly updates, visit http://www.bcbst.com/learn/special-information/eastgate
"We are working hard to identify all the members whose data might have been exposed," Ms. Thompson said. "We are working hard to ensure their peace of mind, so that they know we are working to protect the safety of their health information, and we are looking to do right by all of our members."
Law enforcement agencies working on the investigation regularly are monitoring activity on Web sites known to participate in illegal identity theft activities, as well as online marketplace and community networks, BlueCross said in a statement.