BlueCross BlueShield - 2010

The theft of 57 hard drives from a BlueCross BlueShield of Tennessee training facility last October has put at risk the private information of approximately 500,000 customers in at least 32 states. The hard drives contained 1.3 million audio files and 300,000 video files. The files contained customers' personal data and protected health information that was encoded but not encrypted, including: names and BlueCross ID numbers. In some recordings-but not all-diagnostic information, date of birth, and/or a Social Security number were exposed. BCBS of TN estimates that the Social Security numbers of approximately 220,000 customers may be at risk. UPDATE (4/29/10): The number of plan members whose data were exposed has grown from 521,761, an estimate made in March, to nearly one million, as of April 2, according to a report issued by Mary Thompson, spokeswoman for the Tennessee Blues.UPDATE (11/3/10): According to a letter sent to the New Hampshire Attorney General's Office, the total number of individuals affected was 1,023,209.  BCBS used a three-tier system to categorize individuals affected by the breach.  The total includes 451,274 clients whose Social Security numbers were involved, 319,325 clients whose personal and diagnostic health information was involved and 239,730 clients who had personally identifiable information that was neither medical nor their Social Security number.  BlueCross Blue Shield also reported receiving fewer than 10 requests for credit restoration services from those who had their Social Security numbers exposed.UPDATE (3/14/2012): Blue Cross Blue Shield of Tennessee (BCBST) reached a $1.5 million resolution agreement with the U.S. Department of Health and Human Services. BCBS of Tennessee kept the drives and network data closet in a facility that was secured by a property management company.  The closet was secured by biometric and keycard scan security with a magnetic look and an additional door with a keyed lock.  BCBST eventually vacated most of the leased office space. Thieves may have taken the opportunity to steal the 57 unencrypted hard drives from the closet while the space was not fully occupied.