BlueCross data breach exposes 1 million

BlueCross BlueShield of Tennessee says that at least 998,422 current and former members could be at risk of identity theft because of the 57 BlueCross BlueShield computer hard drives that were stolen last fall.

Health Data Management reported that the count of potentially affected people had increased since mid-March, when BlueCross BlueShield had estimated that the data breach at a former call center in Tennessee had exposed personal or health information for roughly 521,000 people.

The hard drives contained 300,000 video files and 1.3 million audio files. HealthLeaders Media reported that the audio files were recorded phone conversations from Jan. 1, 2007 to Oct. 2, 2009 and contained customers' personal data and protected health information that was encoded but not encrypted.

The health insurer is saying that more than 238,000 members are at the highest risk for identity theft, because their compromised information included not only names, addresses and birth dates but also Social Security numbers.

Information for other members at risk was not as detailed; the most recent number affected includes about 447,000 people who were identified as being in the lowest risk category.

As of mid-March, the data breach had cost BlueCross and BlueShield of Tennessee $7 million, according to the Health Data Management report. The plan's employees and vendors had spent more than 114,000 man-hours reviewing back up data and notifying affected members.

BlueCross BlueShield officials say the company has encountered no evidence yet of any identity theft or fraud because of the data breach. The company is offering credit monitoring and identity theft protection services to all at-risk members.