Title: BlueCross BlueShield of Tennessee data breach notification - Attorney General of Maryland
Date: 03/12/10
Business Activities: Security - Physical Safeguards, Security - Technical Safeguards, Breach Response
Impact to Subscriber:

A health insurance company suffered a break-in that resulted in 57 hard drives being stolen on a Friday night; the computer monitoring system generated a notice that the servers were not functioning properly, however since they were not critical systems, the company did not dispatch an employee until Monday morning. Notifications were sent to individuals based on three risk tiers that reflected what personal information was breached - low risk (name, address, and member ID breached), medium risk (diagnosis or diagnosis code breached), or high risk (Social Security number breached); the first priority was to notify the high risk members. Although the company is required to notify individuals within 60 days of discovering the breach under the HITECH Act, the company informed the Department of Health and Human Services that compliance with the deadline would be impossible given the volume of records to be reviewed; to comply with the HITECH Act, the company provided media notice and notified the state Attorneys General in jurisdictions where over 500 members may reside. Additional state notification requirements were included in notification letters, including specific information about obtaining credit reports or security freezes, and how to report incidences of identity theft.
Authority:
Risk Guidance:
Control Guidance:

Relevance:
Background Facts:

  • BlueCross BlueShield of Tennessee ("BlueCross") provided a notification letter to the Attorney General of Maryland detailing a data breach it experienced.



Relevance to Business Activities:

  • security - physical and technical safeguards considerations:
    • unknown persons:
      • entered a data closet located at a leased facility and removed 57 hard drives containing encoded but not encrypted information:Risk
        • the information consisted of:
          • recorded telephone calls between providers and members to BlueCross' customer service representatives;Risk and
          • video "screen shots" of BlueCross customer service representative's computer screen while on the customer service call.Risk
        • 3 sets of audio were affected:
          • the first two sets contained approximately 550,000 audio files and over 300,000 video files;
          • approximately 600,000 audio files are estimated to exist in the third set;
          • the audio files:
            • typically contained:
              • a BlueCross subscriber ID;Risk
              • name and date of birth; and
              • a diagnosis or diagnosis code in some cases.Risk
            • did not usually contain a Social Security number ("SSN"), however:
              • the HIC number was mentioned in some calls, which combines an SSN and letters.Risk
          • the video files showed SSNs with greater frequency.Risk
    • BlueCross' computer monitoring system generated a notice on Friday evening that there was an issue with the servers in the data closet:Control
      • indicating only that servers were not functioning properly, not that there had been a theft.Risk
    • BlueCross did not dispatch an employee on the weekend since the servers were not critical to operations during the weekend:Risk
      • on Monday morning, an information systems employee:
        • was dispatched to physically service the equipment; and
        • discovered that the disk drives had been stolen.
    • additional physical security measures that have been added include:
      • additional video camera surveillance;Control
      • reviewing biometric and key card access readers;Control and
      • increasing security personnel.Control

 

  • breach response considerations:
    • BlueCross:
      • immediately reported the theft to law enforcement:
        • two full-time employees are assigned to investigate the theft and work with local police and the FBI.Control
      • began the process of restoring back-up tapes of the hard drives at issue;Control
      • is in the process of reviewing the audio and video files affected:
        • an electronic solution for the review process could not be found and a manual review of all the files was necessary.Control
      • dedicated 500 internal employees and hired approximately 300 temporary employees to aid in the review:
        • the full-time employees worked on two different shifts, six days a week.Control
      • is conducting a complete audit and assessment of its physical security at the rental space it was leasing;Control
      • hired a:
        • data recovery and computer forensics vendor:
          • to aid in data restoration, compilation and review.Control
        • computer expert to perform penetration testing of BlueCross' network and website:Control
          • to help strengthen security and prevent future breaches; and
          • even though the theft did not involve a penetration into the computer network.
        • vendor to:
          • send out notification letters;
          • staff a telephone call center; and
          • provide access to licensed investigators:Control
            • for any member who:
              • has questions regarding identity theft; or
              • thinks they may be a victim of identity theft.
            • who will have access to a proprietary database in order to determine if there has been suspicious or fraudulent activity related to the member's identity.
          • provide investigation and restoration services to any minor:Control
            • whose personal information may be at risk; and
            • for whom typical credit monitoring may be insufficient as minors do not have credit files.
      • notified:
        • the Secretary of the Department of Health and Human Services ("HHS"):Control
          • BlueCross informed HHS that it would not meet the mandatory 60-day HITECH deadline for notification to members:Risk
            • due to the sheer volume of data being reviewed.
          • periodic status updates are being provided to the Office of Civil Rights of HHS.Control
        • the Attorney General of Tennessee;Control
        • the Attorney General of Maryland, indicating:Control
          • the nature of the breach;
          • that an estimated 259 members whose information was lost reside in Maryland;
          • that notice will be provided to applicable state residents as soon as they are identified, on a rolling basis; and
          • what services BlueCross will be offering members to help detect and prevent identity theft.
        • all three major credit bureaus:
          • additional notices will be sent once the final distribution of member notices is known.Control
        • group administrators:
          • informing employer groups of how BlueCross is handling notification of impacted members.Control
      • has begun the notification process for members identified as at issue:
        • all potentially impacted members were assigned to one of three risk tiers:
          • lowest tier:
            • members whose name, subscriber ID, date of birth and/or address was present.Control
          • second tier:
            • all information from the lowest tier, plus diagnosis or diagnosis code.Control
          • third and highest risk tier:
            • members whose SSN may be at risk.Control
        • notification is prioritized based on risk tier:
          • first priority is to notify members whose SSNs may be at risk:Control
            • they will receive a "tier 3" notification letter, which:
              • explains the nature of the breach;
              • advises members to monitor their claim activities by reviewing their explanation of benefits statements from BlueCross; and 
              • offers free credit monitoring and identity theft insurance.
        • contact information (phone and email) is being provided in the member notices;
        • U.S. state notification requirements are met through additional sections:Control
          • Hawaii, Iowa, Maryland, Michigan, Missouri, North Carolina, Oregon, Vermont, Virginia, West Virginia, and Wyoming:
            • that it is required by state law to inform individuals that they may obtain a copy of their credit report for free;Control and
            • providing the contact information for the three major consumer reporting agencies.Control
          • Iowa:
            • that state law advises individuals to report any suspected identity theft to:
              • law enforcement;Control or
              • the Attorney General.Control
          • Oregon:
            • that state law advises individuals to report any suspected identity theft to:
              • law enforcement;Control or
              • the Federal Trade Commission ("FTC").Control
          • Maryland and North Carolina:
            • that information about steps that can be taken to avoid identity theft can be obtained from:
              • the office of the Attorney General;Control and
              • the FTC.Control
            • contact information for the attorneys general and the FTC is provided.Control
          • Massachusetts and West Virginia:
            • explaining how individuals can obtain:
              • a police report if they are victims of identity theft;Control and
              • security freezes on their credit reports.Control
      • discovered several states which will have over 500 members being notified:
        • the HITECH Act requires that media notice is provided to any jurisdiction where over 500 members may reside;Control
        • all Attorneys General in those states are being notifiedControl - so they:
          • may be aware of BlueCross' activities; and
          • can address questions they may receive from members of those states.
      • posted on its website:
        • a copy of its HITECH-mandated press release;Control and
        • information from the FTC on how to detect and prevent identity theft.Control



Source Document:

http://www.oag.state.md.us/idtheft/Breach%20Notices/ITU182399.pdf

Privacy Statement · Legal notice