A break-in one evening last October at a shopping mall in Chattanooga, Tennessee, is proving expensive for BlueCross BlueShield of Tennessee.
Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened, the company said in a letter posted to the Maryland attorney general's Web site over the weekend.
As with many data breaches, this one can be traced back to a burglary involving unencrypted data.
On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company's training center in Chattanooga's Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.
In most of the calls, subscribers provided their BlueCross ID number, name and date of birth -- not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what's known as a Health Insurance Claim (HIC) number, which contains the subscriber's Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.
So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. "Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary," BlueCross said in the letter, dated Dec. 16.
"We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio," said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. "It has to be reviewed."
To date, BlueCross has identified more than half a million affected customers and sent notification letters to about 300,000, according to the BlueCross Web site. As of Jan. 8, more than 110,000 work-hours had been spent reviewing the material.
The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.
The average data breach costs $6.75 million, according to Michael Spinney, a senior privacy analyst with the Ponemon Institute. However, the BlueCross incident is more complex than a typical data breach, he said. "It sounds like they're going to be paying a lot more."
BlueCross is offering victims free credit monitoring, though Vaughn said most victims faced a "low risk" of having their personal information misused.
It is also auditing its security practices and has hired a former Department of Defense cybercrimes agent named Stephen Baird to conduct penetration tests of the company's security. BlueCross has also assigned two internal investigators to look into the theft, full time.
"We are determined to prevent any future thefts," the letter reads. "It is an understatement to say that BlueCross regrets this data breach."