The scope of the October 2009 theft of Tennessee Blue Cross Blue Shield’s hard drives,  initially estimated to involve 500,000 individuals, has grown to nearly a million subscribers, according to a updated notice posted on the insurance giant’s web site on April 6, 2010.

The company has classified the risk level into three tiers, with the most serious category, Tier 3, involving the disclosure of the individual’s name, address, BlueCross member ID number, diagnosis, Social Security number and/or date of birth.   The 238,589 Tier 3 members have been offered free credit monitoring for one year, free identity monitoring through LifeLock Identity Alert™, and  Kroll ID TheftSmart program free for one year.  Subscribers in Tier 1 (447,549 members) and Tier 2, (312,284 members) whose data exposure was less comprehensive, are being offered a reduced package of remediation services.

The stolen hard drives contained audio and video training recordings, not text or data base records.  The delay in identifying additional affected members may have been the result of the compromised files requiring individual review.  As of April 2, 2010, the total tally has reached 998,422, of which 550,873 have been notified of the breach and their rights so far.

The cost of investigating and remediating this high-profile breach should serve as a wake-up call to all covered entities and business associates.  If your data is not properly secured and encrypted, all it takes is the loss or theft of a few laptops, smart phones, thumb drives or other storage media to generate serious expense, not to mention PR damage.