BlueCross and BlueShield of Tennessee is still scrambling to figure out how much of its members' personal information was put at risk in an Oct. 2 data breach in which 57 hard drives were removed from computer servers at a plan office in Chattanooga, according to a plan spokeswoman.
In a telephone interview, Blues spokeswoman Mary Thompson said there were no signs of forced entry and the drives, which Thompson said were between the size of a large book and an 8-track tape cartridge, were taken from a set of active servers in a data storage cabinet. The removal, termed a theft by the plan, was not discovered until Oct. 5, Thompson said.
The drives stored computer screen captures and audio recordings of calls, typically from providers, to Blues plan customer service representatives. The recordings were made to verify information given out by the customer service representatives and to be used for training, Thompson said.
The missing drives were on servers dedicated to be used for training, which may have delayed the discovery that they were missing, Thompson said.
In some instances, information on the screens and the recordings could include names, Social Security numbers, insurance ID numbers, addresses and dates of birth as well as diagnoses, she said. The data were not encrypted, Thompson said, but it was “scrambled” in a way that offered some protection from individual identification.
The breach was reported in the local media the day after discovery, Thompson said, but it has taken this long to review copies of the recordings to determine what personal information might have been exposed. That effort so far has involved 418 Blues employees, plus 400 contractors from the Kroll security firm working in two shifts, she said.
Mailings were sent Nov. 20 to group administrators informing them how notification of plan members will take place. Notices to individual members will be sent out in waves beginning Nov. 30, Thompson said.
The number of affected plan members and the cost of the breach have not yet been determined, Thompson said.