BlueCross Completes Industry First Enterprise-Wide Data Encryption

Following ’09 Hard Drive Theft, $6 Million Effort Ensures All At-Rest Protected Health Information is Secure

CHATTANOOGA, Tenn. — BlueCross BlueShield of Tennessee has successfully completed a $6 million effort to encrypt all at-rest data throughout its enterprise, giving members peace of mind that their personal information is secure.

In October 2009, 57 hard drives were stolen from a BlueCross facility. The hard drives contained audio and video recordings related to customer service telephone calls from providers and members, and included varying degrees of personal information on about 1 million members. To date, there is no indication of any misuse of personal data from the stolen hard drives.

In response to the theft, BlueCross worked to comply with all regulatory requirements, including notifying all impacted members and providing free credit monitoring services to members at a higher risk of identity theft. Next, the company launched and has now completed a major initiative to encrypt more than 885 terabytes of at-rest data residing within the enterprise.

“The trust of our members is one of our most important assets, and the hard drive theft represented a serious threat to that trust,” said Nick Coussoule, senior vice president and chief information officer for BlueCross. “The lessons we learned from the theft led us to go above and beyond current industry standards, and our team has worked tirelessly to put new safeguards in place and encrypt all our at-rest data.”

BlueCross invested more than $6 million and 5,000 man-hours in the data encryption effort, which included:

– 885 Terabytes of mass data storage
– 1,000 Windows, AIX, SQL, VMWare and Xen server hard drives
– 6,000 workstation hard drives and removable media drives
– 25,000 voice call recordings per day
– 136,000 volumes of backup tape

The company began by completing an exhaustive inventory of all the points where data resides within the company, from computer hard drives to servers and removable media devices, such as USB drives and CD/DVD burners. BlueCross divided the encryption efforts into six key areas of focus and completed the project in just over a year. As a result all at-rest, or stored, data is now encrypted.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” said Michael Lawley, vice president of technology shared services for BlueCross. “In addition to world-class information security technology, we have adopted even stricter policies and procedures that support our ongoing commitment to security. Our members can rest easier knowing we implemented this process to better protect their privacy.”

Data encryption is achieved through the use of algorithms, which convert normal, readable information into an indecipherable format, and secure keys, which allow only authorized users to convert the information back into a format they can use. This means that even in the event of a theft or some other security breach, no one would be able to read the data contained on BlueCross hardware, whether it was a computer, server or flash drive.

For more information on BlueCross’ data encryption efforts, visit <a href=http://””>

About BlueCross
BlueCross BlueShield of Tennessee offers its customers peace of mind through affordable solutions for health and healing, life and living. Founded in 1945, the Chattanooga-based company is focused on reinventing the health plan for its 3 million members in Tennessee and across the country. Through its integrated health management approach, BlueCross provides patient-centric products and services that drive health improvement and positively impact health care quality and value. BlueCross BlueShield of Tennessee Inc. is an independent licensee of the BlueCross BlueShield Association. For more information, visit the company’s Web site at

Related Content