The Associated Press reports that BCBS in Chattanooga now says that 220,000 members had personal information on the hard drives reported stolen in October, but that the number could go up to 500,000.
In other words, they still don’t know who had what on the stolen hard drives. By today’s standards, it’s taking them too long to sort this out, even if, as they claim, there’s no evidence that the data have been misused (yet). The statement on their site says:
In October 2009, 57 hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a leased facility in Chattanooga that formerly housed a BlueCross BlueShield of Tennessee call center. The video files were images from computer screens of BlueCross customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009.
The files contained BlueCross members’ personal data and protected health information that was encoded but not encrypted, including:
* Members’ names and BlueCross ID numbers
* In some recordings – but not all – diagnostic information, date of birth and/or a Social Security numberBlueCross immediately investigated the theft and continues to work closely with local and federal authorities in their investigation of this crime. In addition, BlueCross hired Kroll, a global leader in security services, to conduct an independent assessment of its system-wide security and has taken several actions to strengthen these protocols.