As I noted earlier this year, in October of 2009, 57 computer hard drives were reported stolen from a BlueCross BlueShield of Tennessee storage facility. After months of investigation, BlueCross said in January of this year that some 500,000 BlueCross members' personal information were now at risk. This included members’ names and BlueCross ID numbers as well as for some their date of birth and/or a Social Security number.
In its latest report on the theft dated 6 April, BlueCross is now saying that an additional 447,549 current and former members had their name, address, BlueCross member ID number and/or date of birth contained on the stolen drives. This brings the total number to 998,422 current and former BlueCross members having their personal information contained on the stolen drives, or about 1 out of every 3 members in the state.
BlueCross also says that, "As of April 2, 2010, there has been no documented incident of identity theft or credit fraud of BlueCross members as a result of this incident."
In January, BlueCross said that the theft had cost it $7 million and some 110,000 hours (or about 55 person years) to identify members at risk. The Chattanooga Times Free Press says that BlueCross hasn't indicated a new total cost, but that it admits notifying the additional 447,549 members will cost it $200,000.
There may be additional notifications, however. BlueCross reports, says the Free Press, that it is "98 percent complete in assessing all of the files for those who may have had diagnostic health information on their files and the company said it is about 90 percent complete in assessing all of the files for those who simply may have had their name and address on the stolen hard drives."
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.