BlueCross BlueShield of Tennessee announced today it has completed a $6 million program to better protect the privacy of sensitive health records following a theft of its computer records two years ago.
The Chattanooga-based health insurer is the first U.S. health insurance company to encrypt all of its at-rest data, company spokeswoman Mary Danielson said. BlueCross invested in the enhanced security following an October 2009 break in at the company's former Eastgate offices where 57 computer hard drives were stolen.
BlueCross also spent more than $10 million over the past two years to investigate the theft and alert nearly 1 million persons about the potential that their health records may be compromised, Danielson said. To date, there is no indication of any misuse of personal data from the stolen hard drives and no arrests have been made in the incident.
"The trust of our members is one of our most important assets, and the hard drive theft represented a serious threat to that trust," said Nick Coussoule, senior vice president and chief information officer for BlueCross. "The lessons we learned from the theft led us to go above and beyond current industry standards, and our team has worked tirelessly to put new safeguards in place and encrypt all our at-rest data."
The stolen hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included varying degrees of personal information. To date, there is no indication of any misuse of personal data from the stolen hard drives.
In response to the theft, BlueCross worked to comply with all regulatory requirements, including notifying all impacted members and providing free credit monitoring services to members at a higher risk of identity theft. Next, the company launched and has now completed a major initiative to encrypt more than 885 terabytes of at-rest data held by the insurer.
"We searched the country and were unable to find another company that has achieved this level of data encryption," said Michael Lawley, vice president of technology shared services for BlueCross. "In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security."
Data encryption is achieved through the use of algorithms, which convert normal, readable information into an indecipherable format, and secure keys, which allow only authorized users to convert the information back into a format they can use.