BlueCross BlueShield of Tennessee is readying a Nov. 30 mass mailing to some of its 3.1 million customers in the Volunteer State who may have had their Social Security numbers and other private data compromised after an Oct. 2 hard drive theft at a remote training facility in Chattanooga.
"It's going to be a progression of mailings, with those who would be most at risk receiving the first mailings, depending upon how many people had a Social Security number compromised," says BCBST spokeswoman Mary Thompson.
"If you don't get a letter, you are safe. No news is good news," Thompson says.
Meanwhile, local, state, and federal law enforcement officials have been called in to investigate the Oct. 2 theft of three 3.5" X 10" hard drives, which were physically removed from server racks on computers inside a data storage closet at a training center located in a strip mall.
"We were using the information on those drives for training purposes. We were auditing our [customer service representatives] to ensure that they were delivering the correct information and servicing providers correctly and using it for training of new CSRs," Thompson says.
Thompson adds she could provide no update on the criminal investigation.
"There are many theories circulating," she says. "Of course, so we don't compromise the investigation, I'd rather not speculate. But the data was not encrypted, which would be the ideal way to secure the data. It was encoded and scrambled across the drive. Only individuals who have the most-high level of expertise, access to software and equipment would be able to reassemble the data into a form where they could access the data for any criminal activity.
"Obviously there is great concern any time data is breached, but this wasn't something that was done where somebody hit the wrong button or put the wrong labels on a file. This was a crime. This was an actual burglary," she says.
In the past several weeks, Thompson says BCBST has had as many as 800 people—including employees from a private security company—working at any given time on the arduous task of analyzing more than 300,000 screen shots and about 50,000 hours of audio data to identify potential breaches.
"You have to cross reference what was being said at the time the screen shot was captured," Thompson says. "We are going through all of those and as we are identifying groups we are triaging them based on who had a Social Security number and any of the data that was stolen. The next level down would be those who had a diagnostic code. The third level down would be those with a name or address and date of birth."
The burglary occurred on a Friday afternoon, but BCBST did not discover the theft until the following Monday morning.
"Because the data on the drives were only used for training purposes, it wasn't essential to daily operations," Thomson says. "The person in charge of the servers did not service them over the weekend because they weren't going to harm any service providers or members. It wasn't until Monday morning when they went to the data storage closet when they realized they weren't there."
Questions about the theft or other privacy matters may be directed to the BCBST Privacy Office Hotlines at 1-888-422-2786 or 1-888-455-3824 or Privacy_Office@bcbst.com.