For A Few Thousand $, Blue Cross Could Have Saved $7million

In October 2009, private data belonging to about 500,000 BCBS customers was stolen by unknown criminal parties, along with 57 PC’s on which it was stored. The decommissioned computers were warehoused in a vacant office building awaiting return to the vendor under the terms of the lease agreement. The hard drives contained a wide range of member records, including benefit I.D. numbers, social security numbers and possibly diagnoses or diagnostic codes. According to reports in the Chattanooga Times Free Press, the company has received 8,728 member calls related to the theft so far, and about 20,500 members of BlueCross plans have taken advantage of the company’s offer for free credit monitoring services.

BCBS of Tennessee is now in the process of identifying what data may have been on the drives and notifying customers about the privacy breach. Here’s the kicker: the deployment of an inexpensive, hardware-based HDD purging solution would not only have cleared the data from the drives, it would have also provided an audit trail to verify exactly what was destroyed. All 57 drives could have been erased in less than a day.

Because this type of data destruction technology is cited by NIST in its Media Sanitization Guidelines Special Publication 800-88, Blue Cross would have been in automatic compliance with HITECH regulations. BCBS would have been exempt from penalties and most likely from notification requirements. To comply the Health Information Technology for Economic and Clinical Health Act adopted last year, BCBS must notify attorneys general in 32 states.
The most troubling aspect of this scenario is that the base scenario – storage of decommissioned hard drives and other electronic media without purging end of life data files – is a series of disasters waiting to happen across the country and around the world.

A more complete summary of the HITECH bill’s provisions are available here.