In October last year, 68 computer hard drives were reported stolen from a BlueCross BlueShield of Tennessee storage facility in Chattanooga. At the time, BlueCross officials said they did not know if any personal information was on any of the drives.
In November, BlueCross officials said that the drives did contain members' personal information, but did not know how many of its nearly 3 million members were affected.
In December, BlueCross officials said it was 57 not 68 computer hard drives that had been stolen and that the data was encoded but not encrypted.
Then earlier this week, BlueCross BlueShield said that it estimated that 1.3 million audio files and 300K video files were stolen, and some 500,000 BlueCross members' personal information were at risk. This included members’ names and BlueCross ID numbers as well as for some their date of birth and/or a Social Security number.
BlueCross also said that since the theft it has spent 110,000 hours (or about 55 person years) to identify members at risk.
In related news, Connecticut Attorney General Richard Blumenthal said in a press release he was suing Health Net of Connecticut, Inc. for failing to secure private patient medical records and financial information involving 446,000 Connecticut enrollees and promptly notify consumers endangered by the security breach as required by the Health Insurance Portability and Accountability Act under the new HITECH legislation.
According to the AG's press release, "On or about May 14, 2009, Health Net learned that a portable computer disk drive disappeared from the company's Shelton [Connecticut] office. The disk contained protected health information, social security numbers, and bank account numbers for approximately 446,000 past and present Connecticut enrollees. ...The missing information included 27.7 million scanned pages of over 120 different types of documents, including insurance claim forms, membership forms, appeals and grievances, correspondence and medical records."
"According to an investigative report by Kroll Inc., a computer forensic consulting firm hired by Health Net, the data was not encrypted or otherwise protected from access and viewing by unauthorized persons or third parties, but rather was viewable through the use of commonly available software."
"Despite its own policies and requirements of federal law, Health Net failed to encrypt this private and protected information or promptly notify Connecticut residents whose personal information may have been compromised. It wasn't until six months after Health Net discovered the breach that it posted a notice on its website, and then sent letters to consumers on a rolling mailing basis beginning on Nov. 30, 2009."
Both cases point to the continuing lack of using encryption of patient data among major healthcare companies not only in the US but elsewhere as well.
Just yesterday, according to this story on the CBC, Ontario Canada's privacy commissioner Ann Cavoukian ordered the Durham Health Region to make sure its computerized health records are "strongly encrypted." Last December, a USB memory stick was lost containing information on 83,000 patients during H1N1 flu vaccination clinics in the Durham Health Region between October 23 and December 15, 2009.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.