BlueCross BlueShield of Tennessee is taking steps to protect members whose Social Security numbers may be at risk following a theft at a company office last month. It is working with police to solve the crime. It will identify and notify clients at risk and provide them with free credit monitoring for a year. Those actions might provide some comfort and relief to those affected, but they do not relieve BlueCross, the biggest health insurer in the state, of culpability in the case.
The problem arose on Oct. 2, when someone entered the Eastgate Town Center offices of the insurance provider. The culprit took 68 computer hard drives that contained personal information -- possibly including birth dates and Social Security numbers -- about some BlueCross members from a data closet. Crooks often use that sort of information to hack bank accounts or to obtain credit cards with disastrous results for individuals whose vital information has been compromised.
There's no evidence at the moment to suggest that has occurred, but it remains a possibility. Indeed, the fear that it might occur is why BlueCross workers, a staffing service and a data security contractor are working six days a week to retrieve and review backup files. That involves examining 300,000 screen image files and reviewing 50,000 hours of audio recordings stored on the stolen drives. That must be done to determine what people are at risk because of the theft, but it is only the first step in a complicated process.
The next, scheduled to begin Monday, is to notify those affected that their personal information was stolen. That notification will include information about free credit monitoring for 12 months. The service often allows individuals to detect and address illegal or irregular activity in their financial affairs. That helps BlueCross members address one possible result of the theft. It does not, however, explain how or why security measures and corporate oversight of them were so lax at the compromised facility. The company has yet to provide an explanation.
The insurer clearly has an obligation to protect such information. A company spokesman acknowledged as much. "We obviously take great concern for the privacy and security of our members' personal health information," said Mary Thompson. That might be so, but in the Eastgate case BlueCross obviously failed to honor that important pledge.
The company is now obtaining an independent assessment of its system-wide data and building security. It is bolstering security at all facilities by adding video camera surveillance, by reviewing card access readers and by increasing the number of security personnel. Those steps might reduce the possibility of similar data breaches in the future, but they come far too late to help the so-far unknown but possibly large number of individuals whose extremely personal and private information has fallen into unknown hands.