In October, 57 hard drives were stolen from a leased facility in BlueCross BlueShield's Eastgate, Chattanooga Town Center. The insurance company had been using the location as a call center before it moved to a new building. The drives contained data including protected health information of customers (which it calls 'members') of its health plan.
BlueCross had identified different tiers of customers, each of which had different levels of personal information about them stored on the drives. The insurer sent out 220 133 notifications to tier 3 customers indicating that their personal information was included on the stolen drives. This information included name, address, BlueCross member ID number, diagnosis, Social Security number, and date of birth.
A total of 301 628 current and former subscribers – customers whose plans extend to other individuals – will now be notified in the tier 2 category. BlueCross has decided to also notify other individuals covered by the subscribers' health care insurance plans.
"To illustrate this point, 131 909 subscriber ID numbers were identified during the review of the customer service calls, and there were 168 719 family members associated with the member ID numbers," BlueCross said. All of those people – both the primary customers, and the family members covered by the insurance plans – will be notified beginning in the middle of this month, BlueCross noted in a statement.
The company restored hard drive backup tapes just over a week later, and began auditing the video files they contained. In November, Kroll, which the company had retained to help deal with the incident, began auditing both audio and video files on the tapes, and in the middle of that month a call center was set up designed to respond to customer queries about the data theft.