The drives stored computer screen captures and audio recordings of calls, typically from providers, to Blues plan customer service representatives. The recordings were made to verify information given out by the customer service reps and to be used for training, Thompson said.
The missing tapes were on servers dedicated to be used for training, which may have delayed the discovery that they were missing, Thompson said.
In some instances, information on the screens and the tapes could include names, Social Security numbers, insurance ID numbers, addresses and dates of birth as well as diagnoses, she said. The data were not encrypted, Thompson said, but it was “scrambled” in a way that offered some protection from individual identification.
The breach was reported in the local media the day after discovery, Thompson said, but it has taken this long to review copies of the recordings to determine what personal information might have been exposed. That effort so far has involved 418 Blues employees, plus 400 contractors from the Kroll security firm working in two shifts, she said.
Mailings were sent Nov. 20 to group administrators informing them how notification to plan members will take place. Notices to individual members will be sent out in waves beginning Nov. 30, Thomson said.
The number of affected plan members and the cost of the breach have not yet been determined, Thomson said.