With the HITECH breach notification rules weeks away from taking effect, BlueCross BlueShield of Tennessee is scrambling to control the damage from the October 2009 theft of 57 hard drives containing sensitive patient information. In a notice posted on its website as of January 13, 2010, the company stated that hard drives containing audio and video files related to coordination of care and eligibility telephone calls from providers and members were stolen from a former call center, including video images from computer screens of customer service representatives and audio files of recorded phone conversations. The files contained members’ personal data and protected health information, including members’ names and BlueCross ID numbers, diagnostic information, dates of birth and Social Security numbers. This information was encoded but not encrypted, and the company has no evidence that the data has been accessed or used by the thieves.

The company has chosen to voluntarily follow the HITECH notice rules that formally kick in as of February 22, 2010. They estimate that the breach may have affected up to a total of 500,000 members in all 50 states. So far, they have identified approximately 220,000 members whose data may have been compromised and are in the process of sending them notices by mail. They have identified 32 states with 500 or more members whose data may be at risk. The company notified the Secretary of HHS, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, and notified all three credit bureaus.

The company is also offering a one-year free credit-monitoring membership through Equifax to affected members, and three tiers of additional protective services based on the amount of information believed to have been compromised.

The company’s first challenge has been to identify affected members. They have engaged a national security consultant, Kroll, Unlike patient information in text or database format that could be easily reviewed to identify patients at risk (and “mined” for identity theft purposes), the hundreds of thousands of audio and video recordings must be manually reviewed.