BlueCross theft alert widens

PDF: BlueCross hard drive theft update

Personal information for nearly 1 million members of BlueCross BlueShield of Tennessee was included on computer hard drives stolen from an abandoned office last fall, according to a new company report.

The Chattanooga-based health insurer is contacting another 447,549 of its customers this month to alert them that their identities may have been jeopardized by the theft of 57 computer hard drives last October. That nearly doubles the number of BlueCross members already notified about the potential threat to their identities.

"We continue to try to be proactive in notifying those who may have had some type of record on these computer hard files," BlueCross spokeswoman Mary Thompson said.

Nearly one of every three people covered by the Tennessee BlueCross plan have received or will be receiving letters from the insurance company telling them about the potential identity threat. The company is offering free credit monitoring services for the next year and access to a Kroll ID TheftSmart program for any of those potentially affected by the theft, BlueCross officials said.

So far, there has been no documented incident of identify theft or credit fraud of any BlueCross member as a result of the stolen computer files.

The Chattanooga police and Federal Bureau of Investigation still haven't closed their investigations into the loss of the computer hard drives from a locked computer room in the Eastgate Town Center office complex on Oct. 2, 2009. The hard drives were reportedly taken on a Friday night, but the theft wasn't discovered until the following Monday morning when work crews returned to the office, according to police reports of the incident.

BlueCross already had moved most of the employee customer service and training operations from Eastgate to the new BlueCross corporate campus on Cameron Hill during the month prior to the computer theft, according to BlueCross Senior Vice President Ron Harr.

But BlueCross has declined to discuss details about security cameras, staffing or alarms during the office move and subsequent computer theft.

Ms. Thompson said BlueCross had spent $7 million through January on investigations, notifications and credit restoration services stemming from the stolen computer files. No new cost estimates are available, but just mailing the additional letters to those most recently identified to be on the computer hard drives will cost the company an extra $200,000.

In its most recent report on the theft, BlueCross said it is about 98 percent complete in assessing all of the files for those who may have had diagnostic health information on their files and the company said it is about 90 percent complete in assessing all of the files for those who simply may have had their name and address on the stolen hard drives.

"It sounds like they are taking the conservative approach with respect to notifying people," said Deven McGraw, director of the Health Privacy Project at the Center for Democracy and Technology in Washington, D.C. "But the fact is that if BlueCross had encrypted this data, they wouldn't have had to spend so much time and effort notifying everybody. Encryption is a pretty basic security function that isn't that expensive and yet will protect this type of information from being used by someone else in virtually all cases and would have saved so a lot of heartache."

The Tennessee BlueCross plan was more aggressive in notifying those affected by the computer theft than was the Anthem BlueCross plan following the loss last year of one of that company's laptop computers containing 18,817 records about health care providers. Connecticut Attorney General Richard Blumenthal is investigating whether that computer loss violated the state's requirements to inform those who may have had their identities compromised.

The loss of the laptop in August 2009 by Anthem BlueCross was not reported to the state until October.

"As appalling as the data loss, equally alarming and potentially illegal is the delay in disclosing it," Mr. Blumenthal said about the Anthem computer loss.

Continue reading by following these links to related stories:

Article: BlueCross: No evidence stolen personal data used

Article: BlueCross computer theft already costs $7 million

Article: BlueCross ID theft warnings top 500,000 and growing

Article: 32 states notified of potential data theft