BlueCross computer theft already costs $7 million

What was initially assumed to be just a glitch in some soon-to-be-discarded computer equipment last fall has grown into one of Chattanooga's most expensive property crimes of the year.

BlueCross BlueShield of Tennessee said Monday it already has spent more than $7 million to respond to the theft last October of computer hard drives from an abandoned office at Eastgate Center.

Although the Chattanooga-based health insurer has adequate reserves to absorb such losses, officials said the company may have to spend millions more to assess what was on the missing computer records and to provide identity protection for affected customers.

The missing computer files contained audio copies of telephone calls and records of video screen images that could compromise the identity or privacy of up to 500,000 Americans, company officials said.

BlueCross already has notified 220,000 BlueCross customers in Tennessee and other states where persons covered by BlueCross of Tennessee plans may work.

To date, BlueCross said there have been no verified instances of any improper access or use of individual identities or health records from the stolen computer hard drives. But BlueCross Communications Director Roy Vaughn said the company has received 8,728 member calls related to the theft so far, and about 20,500 members of BlueCross plans have taken advantage of the company's offer for free credit monitoring services from Equifax, Kroll or Lifelock.

PDF: BlueCross data on hard drive Time line of events* September 2009 - BlueCross relocates customer service center out of leased offices at Eastgate Center* Oct. 2, 2009 - At 6:13 p.m., alarm from computer hard drives stored at vacated buildings at Eastgate is activated; alarm dismissed because officials did not think the hard drives contained critical data.* Oct. 5, 2009 - BlueCross computer personnel investigate alarm and discover 57 missing computer hard drives from secured closet. BlueCross security team alerts Chattanooga police to suspected theft of computer records from Eastgate.* Oct. 6, 2009 - Federal and state authorities, along with local media, are alerted to theft.* Fall 2009 - BlueCross hires 300 part-time workers and contract investigators, along with the world's largest risk consulting company, Kroll, to assess what is on missing computer records. FBI joins probe and begins notifying attorneys general across the country.* January 2010 - BlueCross completes initial audit of records, but continues assessment of lower-level privacy breaches. Initial estimates put cost at $7 million.Top identify theftsAlthough costly for BlueCross, last year's theft of computer hard drives with the records of as many as 500,000 persons was not one of the country's biggest:1. Heartland Payment Systems, hacker breaks into 130 million records in January 20092. TJX Inc., hacker breaks into records for 94 million records in January 20073. Search Roebuck and TRW, hacker breaks into 90 million records in June 19844. National Archives and Records Administration loses 70 million records during disposal in October 20095. CardSystems Solutions, hacker breaks into 40 million records in June 2005

Determining what was on the 57 stolen computer hard drives - and complying with federal and state notification requirements - already has required the hiring of more than 700 contract and BlueCross workers to assess back-up copies of the missing records.

"It was like water torture last fall," BlueCross Vice President Ron Harr recalled Monday. "Every piece of information that came in was worse."

Mr. Harr said the cost of dealing with the theft will not directly lead to any increase in rates for BlueCross, which still enjoys sufficient reserves to absorb such losses.

"But we have to be honest with people and recognize that, in the end, ultimately all of our money must come from our customers," he said.

In a prepared statement in response to Times Free Press inquiries, BlueCross declined to discuss any details about the break-in at Eastgate or who had access to the protected area of the leased offices.

Chattanooga police have yet to arrest or charge any individuals who may have been involved in the theft, according to police spokeswoman Sgt. Jerri Weary.

The theft came just weeks before BlueCross planned to send the hard drives back to the vendor for ultimate disposal. The files and the offices where they were housed were no longer in use.

Ed Galloway, supervisory senior resident agent for the FBI, said the organization has been briefed about the missing computer files.

"But I can't comment on any ongoing investigation," he said.

To comply the Health Information Technology for Economic and Clinical Health Act adopted last year, BlueCross must notify attorneys general in 32 states where at least 500 BlueCross members may be affected by the security breach.