Blue Cross Blue Shield of Tennessee announced last week that nearly 1 million of its members have been affected by the theft of hard drives containing unencrypted personal data. BCBSTN had previously announced in January that 1.6 million files with unencrypted personal and protected health information of about 500,000 members in 32 states were breached in October 2009, due to a theft of 58 hard drives.
While the breach itself is significant for its size, the subsequent remediation efforts are also worthy of note. As of April 2, a total 998,422 current and former BCBSTN members have been identified and 550,873 notifications have been sent indicating that their personal information was included on the stolen hard drives.
BCBSTN has published a detailed analysis that explains how it has gone about remediating the breach. The affected individuals have been broken into tiers. There are 238,589 members in the Tier 3 category – who had the most data on the stolen hard drives (their name, address, Blue Cross member ID number, diagnosis, Social Security number and/or date of birth). Those in Tier 3 have been sent a notification detailing the services available to them through BCBSTN. They will receive free credit monitoring for one year, free identity monitoring and access to the Kroll ID TheftSmart program free for one year.
Another 312,284 current and former members fell into the Tier 2 category (they had their name, address, Blue Cross member ID number, date of birth and/or diagnosis on the hard drives). An additional 447,549 current and former members were placed in the "lowest" category – Tier 1 — for having their name, address, Blue Cross member ID number and/or date of birth on the hard drives. Those current and former members in Tiers 1 and 2 will receive access to the Kroll ID TheftSmart program free for one year.