BlueCross BlueShield of Tennessee has spent more than $7 million cleaning up after a data breach they had announced in October 2009. I’d say there was a good chance that all of this could have been averted with the use of hard drive encryption.
57 Hard Drives Stolen
In October of last year, BCBS of TN announced the theft of hard drives from a training facility. Initially, reports had mentioned that 68 drives had been stolen, but more recent stories are reporting that it was actually 57 drives.
Overall, it was a highly frustrating story to keep track of. Aside from the above, it was at times reported that personal information was unlikely to exist in the stolen drives. Then, BCBS did an about-face, saying that personal information was stored on the devices.
Also, initial reports noted that encryption software was used on the hard drives. About two months later, it turned out that encryption was not used; the data was encoded. Whatever that means.
I’m not sure how much we can blame BCBS on these reversals in details, though. On-line news has become so trigger-happy that sometimes the blame lies on the messenger.
700 People Working On Identifying Content
Why is it costing BCBS so much money? Especially when you consider they aren’t even done with their investigation? I imagine a sizable portion is due to the free credit-monitoring service that was offered to those affected. Of the 220,000 people that were notified, 20,500 have already signed up for the service.
It also turns out that they’ve got 700 people working on identifying what and who was breached. Why 700 people? The information included video and audio files. I assume that, since there is no reliable way of extracting information from such files, people have to play the files one by one and note whether names, SSNs, and other personal information is found within them.
Like I’ve noted, the use of disk encryption would have prevented the need for expending so much money and manpower and time (recently passed HITECH laws give safe harbor when encryption is used to protect data controlled by HIPAA-covered entities, if I’m not wrong).
On the other hand, an alternative and better method may have been destroying any data that was not necessary anymore, operational or legal-wise.
Related Articles and Sites: