According to a letter [pdf] sent to the Maryland Attorney General’s office by Elizabeth Shughrue, Privacy and Compliance Manager for CareFirst BlueCross BlueShield:
On July 18, 2008, the Privacy Office of CareFirst BlueCross BlueShield (CareFirst) was advised of a security breach by the Blue Cross and Blue Shield Association. The Blue Cross Blue Shield Association (BCBSA) shipped, via UPS, three compact disks containing the personal health information of 289 CareFirst members to an agent of the U.S. Office of Personnel Management. This information was not received by the agent.
In a corresponding notification letter to those affected, CareFirst writes that the password-protected disks contained Federal Employee Program members claim information, including subscriber or members’ first and last names, date of birth, contract number (R-number), social security number, and address. The disks were either lost or stolen from UPS.
Neither the letter nor the notification indicated whether the data were encrypted. nor whether the 289 indicated the total number of CareFirst members or subscribers affected or just those in Maryland.
Those affected were offered one year of free credit monitoring and the option of changing their FEP Program member number.