Data Encryption at BlueCross

BlueCross Completes Industry First Enterprise-Wide Data Encryption

Following '09 Hard Drive Theft, $6 Million Effort Ensures All At-Rest Protected Health Information is Secure


BlueCross BlueShield of Tennessee has successfully completed a $6 million effort to encrypt all at-rest data throughout its enterprise, giving members peace of mind that their personal information is secure.

In October 2009, 57 hard drives were stolen from a BlueCross facility. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included varying degrees of personal information on about 1 million members. To date, there is no indication of any misuse of personal data from the stolen hard drives.

In response to the theft, BlueCross worked to comply with all regulatory requirements, including notifying all impacted members and providing free credit monitoring services to members at a higher risk of identity theft. Next, the company launched and has now completed a major initiative to encrypt more than 885 terabytes of at-rest data residing within the enterprise.

“The trust of our members is one of our most important assets, and the hard drive theft represented a serious threat to that trust,” said Nick Coussoule, senior vice president and chief information officer for BlueCross. “The lessons we learned from the theft led us to go above and beyond current industry standards, and our team has worked tirelessly to put new safeguards in place and encrypt all our at-rest data.”

The company began by completing an exhaustive inventory of all the points where data resides within the company, from computer hard drives to servers and removable media devices, such as USB drives and CD/DVD burners. BlueCross divided the encryption efforts into six key areas of focus and completed the project in just over one year. As a result all at-rest, or stored, data is now encrypted.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” said Michael Lawley, vice president of technology shared services for BlueCross. “In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security. Our members can rest easier knowing we implemented this process to better protect their privacy.”

Data Encryption Stats

BlueCross invested $6 million and 5,000 man hours in the encryption effort, which includes:

  • 885 terabytes of mass data storage - roughly equivalent to 55,000 16GB smartphones or 35,000 single layer Blu-Ray discs
  • 1,000 Windows, AIX, SQL, VMWare and Xen server hard drives
  • 6,000 desktop and laptop hard drives, including removable media ports
  • 25,000 daily voice call recordings
  • 136,000 volumes of backup tape

Download an infographic (PDF) about the encryption effort.

What is Data Encryption?

Data encryption is achieved through the use of algorithms, which convert normal, readable information into an indecipherable format, and secure keys, which allow only authorized users to convert the information back into a format they can use.

This means that even in the event of a theft or some other security breach, no one would be able to read the data contained on BlueCross hardware, whether it was a computer, server or flash drive.

Hard Drive Theft & Privacy

Page Modified:May 18, 2012