32 states notified of potential data theft

PDF: Wynkoop letter

Tennessee's largest health insurer is notifying authorities in at least 32 states about a Chattanooga theft of computer files last year that could jeopardize the identity or health records of up to half a million Americans.

Chattanooga-based BlueCross BlueShield of Tennessee said Thursday the company has alerted attorneys general in Tennessee, Georgia and 30 other states about the theft of computer hard drives from Eastgate Town Center last October.

BlueCross is contacting authorities in any state where at least 500 BlueCross customers could have had personal or health data exposed from video and audio recordings on the hard drives.

BlueCross spokeswoman Mary Thompson said the company and its contractors still are assessing what information was included in the 57 hard drives taken during a weekend theft at the company's former customer care center at Eastgate Town Center.

So far, Ms. Thompson said, the company has not had any evidence that identities or records improperly were used or were stolen from the computer hard drives.

Because of the sheer volume, BlueCross didn't notify everyone within 60 days as required by federal health regulators, officials said in letters to state authorities.

"Because the theft occurred at a rental space which BlueCross leased for training purposes, BlueCross is having a complete audit and assessment of its physical security performed in order to prevent such an occurrence from happening again," BlueCross Senior Vice President Bill Young said in a letter to the Ohio attorney general.

BY THE NUMBERS* 1.3 million -- Estimated number of audio files on stolen computer hard drives* 300,000 -- Estimated number of video files stolen* 500,000 -- Number of BlueCross members whose identities or records may have been compromised* 32 -- Number of states with at least 500 BlueCross members whose identity was compromised, triggering a required notice to the attorneys general there.

The Chattanooga police and Federal Bureau of Investigation are continuing to investigate the theft of the hard drives, which occurred on the night of Oct. 2, 2009, from what BlueCross officials thought was a secure closet. No suspects have been arrested, and authorities are not sure if the thieves

were aware of what was on the stolen hard drives.

BlueCross since has relocated all of its Chattanooga operations to a new, more secure corporate campus atop Cameron Hill downtown.

The company already has notified about 220,000 people whose identity records might have been on the stolen computer files. BlueCross is offering each affected person free credit reports and free identity restoration services.

Sharon Curtis-Flair, a spokeswoman for the Tennessee attorney general's office, said state law requires any affected customers in such cases be notified if their records have been exposed or stolen.

The stolen files contained images from computer screens of BlueCross workers and the audio files of their recorded phone conversations from 2007 through last year, according to BlueCross information posted on the company's Web site.