The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states, the insurer said this week in an investigation update.
The hard drives containing 1.3 million audio files and 300,000 video files related to coordination of care and eligibility telephone calls from providers and members were reportedly stolen from a leased office in a Chattanooga strip mall that once housed a BCBS of TN call center. The video files were images from computer screens of customer service representatives and the audio files were recorded phone conversations from Jan. 1, 2007 to Oct. 2, 2009.
The files contained customers' personal data and protected health information that was encoded but not encrypted, including:
- Names and BlueCross ID numbers.
- In some recordings–but not all—diagnostic information, date of birth, and/or a Social Security number. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk.
"Law enforcement agencies working on the investigation of the theft are regularly monitoring activity on Web sites known to participate in illegal identity theft activities, as well as online marketplace and community networks. To date, there is no evidence any member's data has been accessed and used as a result of the theft," BCBS of TN said in a media announcement.
BCBS of TN had backup files of all stolen data and contracted Kroll, the risk consulting company, when the theft was discovered in October to review files and identify members whose personal information may be at risk. Due to the amount and types of the data involved, it is taking significant time to review each recording. BlueCross is working as quickly as possible to notify all affected members. As of Jan. 7, more than 110,000 hours were logged during this effort to identify members at-risk, the insurer said.
BCBS of TN has customers in 50 states. As of Jan. 8, the insurer had identified 32 states with 500 or more members whose data may be at risk. HHS, the State of Tennessee, and the attorney general's office and media in each state with 500 or more affected members have been notified about the theft, which is required by the Health Information Technology for Economic and Clinical Health Act. BCBS of TN has also placed a notice with all three credit bureaus regarding this theft.
Three levels of risk have been identified for those customers whose information may be at risk. Letters are being mailed to these current and former BlueCross customers explaining the level at which their personal information is at risk. They are being offered a variety of free services to mitigate the potential misuse of personal information.
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.