Thursday, December 31, 2009

We Get Mail

So yesterday’s mail finally brought a letter from BlueCross BlueShield of Tennessee. It reads:
On Monday, October 5, 2009 at 10:00 a.m., BlueCross BlueShield of Tennessee, Inc. employees discovered a theft of computer equipment at a network closet located in our Eastgate Town Center office location in Chattanooga, TN. The theft occurred Friday, October 2, 2009 at approximately 6:13 p.m. BlueCross BlueShield of Tennessee has established that the items taken include 57 hard drives, containing data which was was encoded but not encrypted.

I wrote about this data theft waaaay back on November 25. The letter we received yesterday was dated December 24.

The theft occurred October 2. That’s two and a half months between when the theft occurred and when we were notified. And I’ve known about it for a month.

You know, when computers were stolen from the Davidson County Election Commission, we knew about it right away. Guess the private world doesn’t work that way.

Moving on:

The hard drives contained encoded audio and video recordings of member and provider eligibility and coordination of benefits calls to BlueCross BlueShield of Tennessee’s Eastgate call center. As a current or former member, BlueCross BlueShield of Tennesee has identified that some of your information was stored on the hard drives and potentially could be accessed. The information potentially at risk includes your name, address, member ID, diagnosis code, Social Security number and/or date of birth.

Well that’s just lovely. Thanks for waiting two and a half months to let me know.

This is the second data breach for BlueCross/Blue Shield this year, it appears. Also in October, a laptop containing sensitive physician information was stolen:

This is the second reported insurance company data breach this year involving thousands of physicians. The other came to light in October when BlueCross BlueShield-affiliated plans across the country began notifying physicians that a laptop belonging to an employee of the Chicago-based BlueCross BlueShield Assn. was stolen in August.

An unencrypted file containing identifying information for every Blues-contracted physician in the country -- about 850,000 physicians in total -- was saved on the laptop. So far there's been no evidence the data have been misused, but state regulators have been critical of the Blues for allowing the breach to happen and for taking months to report it.

Taking months to report it, huh? Where have we heard that before?

So, we’re being offered Kroll’s “ID TheftSmart™” program to monitor us for identity theft for one year. Kroll is one of those major business intelligence/security firms that always scare the crap out of me, sort of like a privatized NSA. I think I’d rather stay off their radar, thank you. And I always get suspicisious when one giant corporation that knows too much about me wants to sign me up with another giant corporation that knows too much about me. Something doesn’t smell right here.

Anyway, I’ve seen local news reports on this BlueCross BlueShield hard drive theft, but I haven’t seen anything in the national news about it, which I find puzzling. Has there been some kind of news blackout? After all, it's affected tens of thousands of customers all around the country.

Seems to me this kind of stuff is happening with increasing frequency. HealthNet lost a drive with information on its members and physicians, and waited a full six months to tell anyone.

That just isn't right. If we're forced to do business with you people, as a government mandate, then there needs to be some kind of penalty when you folks twiddle your thumbs while customers' Social Security numbers and other private information is out there loose in the world, waiting for anyone to snap up. I don't think they take our privacy very seriously, and I think waiting six months or even two months to notify customers shows you were more concerned about covering your own asses than your customers' protection. Also, I don't think one years' worth of "identity theft protection" is going to make anyone feel better. What happens in two years? Three?

Anyway, just a thought. The media coverage of this has been a big fail (no surprise there) and I get the sneaking suspicion that BlueCross BlueShield is hoping no one will really notice.