When will the process of notifying affected members be completed?
BlueCross BlueShield of Tennessee and Kroll began review of the backup files when the theft was discovered in early October and is working as quickly as possible to notify all affected members. As of January 8, 2010, more than 110,000 hours were spent during this effort to identify members at risk. We anticipate most notifications will be complete by the end of first quarter 2010.
What was the nature of the at risk data?
The hard drives contained audio and video files related to coordination of care and eligibility telephone calls from providers and members. The video files were images from computer screens of BlueCross customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009.
Are all affected members being notified at the same time?
No. Three levels of risk have been identified for those members whose information may be at risk. Letters are being mailed to these current and former BlueCross members explaining the level at which their personal information is at risk, beginning with those whose social security numbers may have been identified.
Is it possible that a member might be included in more than one tier and receive more than one letter?
Yes. It is possible that information about a member or more than one person covered in that member’s family may be on more than one phone call. Our priority notifications are going to the members whose social security numbers are potentially at risk. Because of the time period involved for recording the data, it is possible that one member may be on more than one tier. In these instances, members will receive the monitoring and protection services based on their highest level of risk. Our goal is for the member to receive only one letter for their highest level of risk and the protection offered.
Is BlueCross aware of any attempt to use this information to the detriment of the members involved?
No. To date, there is no evidence any member’s data has been accessed and used as a result of the theft. BlueCross is committed to protecting its customers’ personal information and takes seriously any risks associated with this crime. BlueCross believes there is minimal risk to members’ data being accessed due to the specialized nature of the hardware stolen and the difficulties associated with accessing the stored data.
Law enforcement agencies working on the investigation of the theft are regularly monitoring activity on Web sites known to participate in illegal identity theft activities, as well as online marketplace and community networks.
Why is it taking so long to notify members?
BlueCross had backup files of all stolen data and is working with Kroll, a global leader in security services, to review the backup files and identify members whose personal information may be at risk. Due to the amount and types of the data involved, it is taking significant time to individually review each audio and video recording. As of January 8, 2010, more than 110,000 hours were spent to identify members at risk. BlueCross and Kroll are working as quickly as possible to notify all affected members.
Is there anything additional that privacy officers at BlueCross group accounts whose employees are affected are required to do or to provide their enrolled employees?
No. BlueCross is complying with all federal and state requirements on behalf of all its group accounts, so nothing more is required for customers that are group accounts. BlueCross notifies the Secretary of the Department of Health and Human Services, the State of Tennessee and the attorney general’s office and media in each state with 500 or more affected members, as required by the Health Information Technology for Economic and Clinical Health Act (“HITECH Act”) and its implementing regulations. BlueCross has also placed a notice with all three credit bureaus regarding this theft. While individual member companies may want to consult their own counsel, BlueCross does not believe they need to take any additional actions.
When does the one year of free credit monitoring begin?
The letter sent to at risk members provides specific instructions for the time frame to sign up along with an Equifax coupon prepaid by BlueCross. The one year period begins when the member activates the coupon as outlined in the letter.
Why doesn’t the free credit monitoring start retroactive to the date of the theft?
BlueCross could not offer the free monitoring services until at risk members were identified. We will work with any member who believes he or she was harmed as a result of the theft.
What is BlueCross doing to ensure its data is secure moving forward?
The hard drives were stolen from a leased facility in Chattanooga that formerly housed a BlueCross call center prior to its move to its new, state-of-the-art secure headquarters on Cameron Hill. BlueCross immediately investigated the theft and continues to work closely with local and federal authorities in their investigation of this crime. In addition, BlueCross hired Kroll, a global leader in security services, to conduct an independent assessment of its system-wide security and has already taken several actions to strengthen these protocols.
What is the difference between encoding and encrypting?
The encoding process makes data more difficult to access in a usable form. Encryption transforms information making it unreadable without a key.
Will group accounts receive a comprehensive list of all its employee members affected with the list showing which tier letter the member received?
Yes. BlueCross will provide this information in the second quarter of 2010, once all members affected are identified and notified.
Is BlueCross offering a reward to help solve this crime?
No. BlueCross immediately investigated the theft and continues to work closely with local and federal authorities in their investigation of this crime. These experts have advised that offering a reward is not recommended in this type of case, as it may create additional opportunities for illegal activities.
Will group accounts be notified if an employee member discovers that his/her ID has been compromised as a result of the theft?
BlueCross will provide group administrators a listing of members who access the free restoration services BlueCross offers them through Kroll.
Why must members requesting the Equifax free credit monitoring provide information about their loans or mortgages?
Equifax is a national credit bureau that monitors credit history. When they receive the member’s request for the free monitoring services offered by BlueCross, Equifax must verify the history by asking specific questions about the member’s past credit. That is how Equifax validates that the appropriate individual receives the credit monitoring services.
What should a member do if they have trouble using the coupon provided by BlueCross to activate the free Equifax monitoring?
There are a few scenarios that may result in a member having difficulty accessing the free Equifax monitoring using the coupon code provided in the letter they received from BlueCross. Any member who has a problem activating the service either by the online registration process or the US Mail Delivery phone process should call Equifax 1-866-252-4576.
Note that while BlueCross is paying for the service, it cannot register the member for the service but can provide guidance to members to help navigate the registration process. Equifax is an independent national credit bureau not affiliated with BlueCross.
When will the Web site be updated?
The Web site will be updated at least semi-monthly. Breaking news about the crime will be posted immediately as appropriate. The BlueCross internal crisis response team which includes key representatives from each area involved in the investigation, response and communication process, meets daily to review the case and discuss new information or questions from members.
What will happen when the free one year monitoring period expires?
It is possible that Equifax may contact the member to ask if they wish to continue the services after the pre-paid period is over. While BlueCross paid for a year of free service, once the member activates the coupon to obtain it, the member becomes a customer of Equifax.
Why were the letters for minors delayed?
The identity theft coverage available for adults does not cover minors. BlueCross researched and obtained special coverage to protect minor identities, which delayed the notifications.
What coverage will at-risk minors receive?
Minors are offered a free year of Kroll’s ID TheftSmart™ program and a one-year free LifeLock for Children membership.
What period of time did the data files on the stolen hard drives cover?
The video files were images from computer screens of BlueCross customer service representatives and the audio files were recorded phone conversations from January 1, 2007 to October 2, 2009
What if a member who is now deceased is among the at-risk members?
BlueCross will notify the appropriate estate executor if we are made aware of any deceased individual among those at risk.
Do you know what the motive for the theft was? When will an arrest be made?
BlueCross is working with local and federal law enforcement authorities in every way possible to arrest the people responsible for this crime. As the criminal investigation is ongoing, we cannot discuss details about the incident to help ensure we do not hinder progress in the effort.
Can an at-risk member request a new ID number?
BlueCross does not routinely issue a new ID number when a member’s card is lost or stolen. The ID number is associated with claims information including deductible, out-of-pocket amounts, claims history and pending claims that have not been processed, but doesn’t include credit history or access to a Social Security number. Changing the number could result in difficulties in ensuring a member’s claims are paid appropriately.
What happens if a group suffers a loss due to fraudulent use of an at-risk member’s stolen ID number?
In the unlikely event that health services are obtained fraudulently with a stolen ID number, BlueCross will work with the group affected to mitigate the situation.
How many of those eligible have signed up for the credit monitoring?
As of January 19, 2010, there were 20,490 credit monitoring codes activated by at-risk members.
How many calls has BlueCross received from customers affected by the theft?
As of January 15, 2010, there were 8,728 calls from members inquiring about the theft. This includes calls to Kroll and BlueCross call centers.
What are the hours of the call centers for information about the theft and the services offered to at-risk members?
The BlueCross Eastgate Response Center is available Monday thru Saturday from 8:00 am to 7:00 pm EST at 1-888-422-2786. Members may also email questions to Privacy_Questions_GM@bcbst.com. This call center can answer questions about BlueCross’s response to the theft and provide information about the levels of risk, the free services BlueCross is offering to at-risk members and how to access them.
Equifax Customer Service assistance is available 24 hours a day, 7 days a week. 1-866-937-8432. This call center can activate the coupon provided to at-risk members for credit monitoring.
The Kroll Customer Call Center is available Monday thru Friday from 7:00 am to 6:00 pm EST 1-866-599-7347 This center can provide access to the free Kroll ID TheftSmart TM and other Kroll services BlueCross is providing at-risk members.
Will group accounts be notified in advance of any pending news media reports?
When BlueCross is aware of any previously undisclosed major news about the theft or its response to theft, it will work with the Crisis Response team to ensure that group accounts, brokers and members are appropriately notified as quickly as possible. Breaking news about the case will be posted to this Web site as soon as possible.
Will BlueCross let someone defer their enrollment in the Equifax service for a year?
At-risk members may activate the pre-paid coupon for a year of free monitoring at any time until November 30, 2010. However, if the at-risk member chooses to delay activation of their code and they experience an identity theft as a result of the theft after BlueCross offered them the monitoring, they will not be covered by the $1 million dollar insurance policy offered by Equifax.
Is BlueCross aware of the recent settlement by LifeLock?
As BlueCross BlueShield of Tennessee was evaluating credit monitoring and identity protection services for members whose personal data was included on the hard drives stolen from its Eastgate Town Center office location, it recognized that many affected members were minor-aged children with no established credit history. In those circumstances, BlueCross engaged LifeLock, a leader in identity theft protection, to provide its LifeLock® for Children Identity protection services designed to protect against the misuse of a minor’s personal information.
Recently, it was announced that LifeLock had agreed to pay $12 million to settle charges that the company failed to protect customers against identity fraud as advertised and put customer data at risk. The complaints against LifeLock stemmed from a Federal Trade Commission (FTC) review that claimed that LifeLock’s past practices of placing fraud alerts on customer credit files only protected against certain forms of identity fraud and did not stop identity theft. However, there were no allegations of deceptive claims against its identity protection services for children, since that service doesn’t necessitate monitoring existing account activity on consumer credit reports.
BlueCross is confident in its decision to offer affected members Equifax, LifeLock and Kroll identity theft and restoration services. These services provide the best in credit and personal data monitoring and protection. BlueCross encourages its affected members to take advantage of these services. In addition to their services, Equifax offers $1 million identity theft insurance and LifeLock provides a $1 million Total Service Guarantee for complete peace of mind.