published Thursday, July 28th, 2011

Chattanooga based BlueCross encrypts data following theft of hard drives

Follow us on Twitter for the latest breaking news
  • photo
    File Photo The BlueCross and BlueShield logos hang on the company's old building in downtown Chattanooga.

BlueCross BlueShield of Tennessee announced today it has completed a $6 million program to better protect the privacy of sensitive health records following a theft of its computer records two years ago.

The Chattanooga-based health insurer is the first U.S. health insurance company to encrypt all of its at-rest data, company spokeswoman Mary Danielson said. BlueCross invested in the enhanced security following an October 2009 break in at the company’s former Eastgate offices where 57 computer hard drives were stolen.

BlueCross also spent more than $10 million over the past two years to investigate the theft and alert nearly 1 million persons about the potential that their health records may be compromised, Danielson said. To date, there is no indication of any misuse of personal data from the stolen hard drives and no arrests have been made in the incident.

“The trust of our members is one of our most important assets, and the hard drive theft represented a serious threat to that trust,” said Nick Coussoule, senior vice president and chief information officer for BlueCross. “The lessons we learned from the theft led us to go above and beyond current industry standards, and our team has worked tirelessly to put new safeguards in place and encrypt all our at-rest data.”

The stolen hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included varying degrees of personal information. To date, there is no indication of any misuse of personal data from the stolen hard drives.

In response to the theft, BlueCross worked to comply with all regulatory requirements, including notifying all impacted members and providing free credit monitoring services to members at a higher risk of identity theft. Next, the company launched and has now completed a major initiative to encrypt more than 885 terabytes of at-rest data held by the insurer.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” said Michael Lawley, vice president of technology shared services for BlueCross. “In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security.”

Data encryption is achieved through the use of algorithms, which convert normal, readable information into an indecipherable format, and secure keys, which allow only authorized users to convert the information back into a format they can use.

6
Comments do not represent the opinions of the Chattanooga Times Free Press, nor does it review every comment. Profanities, slurs and libelous remarks are prohibited. For more information you can view our Terms & Conditions and/or Ethics policy.
PaulWilson said...

NOW they encrypt their data?! This technology has been around for years...why have they waited this long? The cost of protecting data seems like it would be one that was well worth it. I know of several people that have dropped their coverage with BCBS because of their failure to protect their information. I'm glad they've done it now but, I question their reasoning for waiting so long.

July 28, 2011 at 10:31 a.m.
Musicman375 said...

Paul, they were previously compliant with federal guidelines before the encryption process by already having all the data encoded. The info on the hard drives WAS encoded, but not encrypted. They are both measures of security to keep prying eyes off the data, but encryption is a level above encoding. In fact, encrypted data is still encoded under the encryption, so you have to break it twice if you're a hacker.

July 28, 2011 at 11:31 a.m.

Did you not pick up on the whole "noone else in the country is doing this" thing? If the people you know dropped their BlueCross coverage because of the theft, it seems they just went to another company who was only equally secure as BlueCross used to be and is now trusting a company that is less secure. Doesn't sound like that great a move to me.

I can only guess that the reason they weren't doing it before was becuase of the $6 MILLION!!! price tag. It is hard to justify that kind of outlay of capitol for anything. I guess this means they are going above and beyond to prevent a thief from ever having a chance to get their customers medical info ever again since noone else has done this.

Why complain when they address the problem? I would be worried about the insurance companies that see all the thefts and breaches going on out there and haven't bothered to do anything at all about it.

July 28, 2011 at 11:33 a.m.
PaulWilson said...

Blockquote“We searched the country and were unable to find another company that has achieved this level of data encryption,”

This level of encryption. That implies that companies other than them were using at least some form of encryption instead of just encoding. That aside, conding is a basic form of data security that is not very difficult to crack. There are younger teens that are capable of cracking that in no time. 128-bit encryption is the highest level of data encryption currently available. Sure, it costs but, wouldn't you want to protect your company and it's millions of customers' information in order to not lose that business?

July 28, 2011 at 1:01 p.m.

Paul, who said BCBS didn't have "some" encryption as well before the theft? I don't understand what you are getting at. If a criminal hadn't broken in and stolen the hard drives, the data would have been safe. You act like they dropped the data somewhere and a kid stumbled across it and took it home for mom to find in their pocket when she did the laundry.

128bit is currently the largest commercial data block size, but keys can have much higher encryption levels.

July 28, 2011 at 1:49 p.m.
Winner said...

I would imagine that this project was not the only one on BCBS' table. With the new legislation that is rolling out constantly I'd say kudos to them for finding time to get this huge feat accomplished. 885 terabytes is A LOT of information.

July 28, 2011 at 3:07 p.m.
please login to post a comment

videos »         

photos »         

e-edition »

advertisement
advertisement

Find a Business

400 East 11th St., Chattanooga, TN 37403
General Information (423) 756-6900
Copyright, Permissions, Terms & Conditions, Privacy Policy, Ethics policy - Copyright ©2014, Chattanooga Publishing Company, Inc. All rights reserved.
This document may not be reprinted without the express written permission of Chattanooga Publishing Company, Inc.