BCBS of Tenn. Encrypts All Stored Data

Security Action Taken in Wake of Major Breach Incident
BCBS of Tenn. Encrypts All Stored Data
BlueCross BlueShield of Tennessee, which experienced a health information breach affecting nearly 1 million individuals in 2009, has completed the encryption of all its stored data.

In the aftermath of the October 2009 incident, which involved the theft of 57 unencrypted hard drives from servers at a call center that had recently closed, officials at the insurer last year described security steps they planned to take, including widespread use of encryption (see: BCBS of Tenn. Breach: Lessons Learned). The Blues plan now says it has invested more than $6 million and 5,000 man-hours in encrypting all data at rest, a total of 885 terabytes of information. That includes patient information on computer hard drives, servers and removable media.

The health insurer notes that there's still no evidence of any misuse of personal data stored on the stolen hard drives.

Explaining the decision to widely deploy encryption, Nick Coussoule, senior vice president and CIO, points to the need to reassure customers that their information is well-protected. "We looked at it as a trust issue," he says. The breach incident helped to illustrate that the health insurer needed to take additional steps to protect against the physical theft of information, he acknowledges.

Data encrypted included information on 1,000 server hard drives as well as 6,000 workstation hard drives and removable media drives. It also included 25,000 voice call recordings per day and 136,000 volumes of backup tape. Laptops had been encrypted before the breach incident, Coussoule notes. The $6 million cost for the massive encryption effort is in addition to the at least $7 million price tag for dealing with the immediate aftermath of the breach, Coussoule acknowledges.

Encryption Strategy

The encryption effort "didn't cause any performance degradation hits," thanks to recent improvements in the technology, says Michael Lawley, vice president of technology shared services.

Rather than attempting to pinpoint where all protected health information resided so it could be encrypted, the health insurer decided to encrypt all its stored data to help speed the process, Lawley explains. "Had we gone through the process of verifying and pinpointing each data store, we'd still be in the implementation phase for encryption," he notes.

In addition to encryption, the Blues plan has improved data security for servers at all its remote sites in the wake of the breach incident at the call center, Lawley says.

Cages were added outside the doors to data closets. Once an authorized staff member unlocks the cage, they must use a fingerprint scanner to unlock the door. In addition, to remove a drive from the server now requires the use of another key.

After the breach, the insurer created the new position of chief security officer, who now oversees physical security. A chief information security officer, who reports to the chief security officer, oversees all information security policies. Lawley says his technology shared services team handles day-to-day security operations. Plus, an internal audit team is available "for checks and balances," he adds.

Details of Incident

The hard drives stolen in the 2009 incident contained audio and video files related to coordination of care and insurance eligibility telephone calls from healthcare providers and members. The video files were images from the computer screens of customer service representatives.

The BlueCross BlueShield plan offered free credit monitoring to about 240,000 of the 1 million individuals whose information was on the drives, focusing on those at highest risk of identity theft. But it notified all those potentially affected by the breach, as required by the HITECH Act breach notification rule.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Howard J. Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 34 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network