Data theft creates notification nightmare for BlueCross
IDG News Service - A break-in one evening last October at a shopping mall in Chattanooga, Tennessee, is proving expensive for BlueCross BlueShield of Tennessee.
Over the past five months, the company has employed a small army of workers to sort through the aftermath of what has proved to be a large and complex breach. Late last year, BlueCross and forensics company Kroll OnTrack employed 500 full-time workers and 300 part-time employees, working in two shifts, six days a week, to piece together what happened, the company said in a letter posted to the Maryland attorney general's Web site over the weekend.
As with many data breaches, this one can be traced back to a burglary involving unencrypted data.
On Oct. 2, someone stole 57 hard drives from a closet at the health insurance company's training center in Chattanooga's Eastgate Town Center mall. The drives contained recordings of more than 1 million customer support calls, totalling 50,000 hours of conversation. There were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time some of the calls were made.
In most of the calls, subscribers provided their BlueCross ID number, name and date of birth -- not enough information for criminals to pull off an identity theft scam. But in some calls, Medicare subscribers provided what's known as a Health Insurance Claim (HIC) number, which contains the subscriber's Social Security number. Many of the screen shots also include Social Security numbers, and that information can be used in identity theft.
So for the past five months, BlueCross has been sorting out which of its 3 million customers to notify of the breach. "Unfortunately, after checking with numerous vendors throughout the country, an electronic solution could not be formulated, and a largely manual review of audio and video files has been necessary," BlueCross said in the letter, dated Dec. 16.
"We made the decision that there is really no substitute for actually manually going through it and looking at the video screens or listening to the audio," said Roy Vaughn, a BlueCross BlueShield of Tennessee spokesman. "It has to be reviewed."
To date, BlueCross has identified more than half a million affected customers and sent notification letters to about 300,000, according to the BlueCross Web site. As of Jan. 8, more than 110,000 work-hours had been spent reviewing the material.
The process has cost more than US$7 million so far, and it will be several months more before the notification effort is concluded, Vaughn said.
The average data breach costs $6.75 million, according to Michael Spinney, a senior privacy analyst with the Ponemon Institute. However, the BlueCross incident is more complex than a typical data breach, he said. "It sounds like they're going to be paying a lot more."
BlueCross is offering victims free credit monitoring, though Vaughn said most victims faced a "low risk" of having their personal information misused.
It is also auditing its security practices and has hired a former Department of Defense cybercrimes agent named Stephen Baird to conduct penetration tests of the company's security. BlueCross has also assigned two internal investigators to look into the theft, full time.
"We are determined to prevent any future thefts," the letter reads. "It is an understatement to say that BlueCross regrets this data breach."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts