Venyu Blog

Constant readers of this blog know that at one time in my life I followed (rather stumbled upon) Paul Harvey and his semi-weekly 3-min radio segment “The Rest of the Story.” In this bite-sized segment Paul would bring his listeners the background story of a famous and at first unidentified person (actor, athlete, author, what have you), describe some turning point in their lives and then show how that inflection point changed that individual’s point of view (or fortunes) as they became the celebrity we would all came to know, albeit on a slightly more familiar basis. The charm was always in Paul’s punch line complicit with never revealing the name of his subject until the last few seconds of the story. In fact, in nearly every instance I found myself riveted, unable to turn the dial to another station until Paul signed off with his trademark line, “And now you know the rest of the story.”

While it isn’t entirely on the same level as that, consider this post a follow-up to my March 2010 blog “Don’t Let This Happen to You” detailing BlueCross BlueShield (BCBS) of Tennessee loss of 57 unencrypted hard drives, presumably stolen by person or persons unknown that placed the personal data of more than a million of their members at risk.

Here in August 2011, the healthcare provider announced that it has completed a $6 million project that encrypts all at-rest data throughout its enterprise. According to this news article in Network World, the company said it spent more than 5,000 man-hours on the encryption effort, which encompassed about 885TB of at-rest data.

The unencrypted drives contained recordings of more than 1 million customer support calls, totaling more than 50,000 hours of conversation.  Included on these drives were also 300,000 screen shots, showing what BlueCross representatives had on their computer monitors at the time the calls were made.

Immediately following the breach BlueCross BlueShield has mustered the services of a “small army” of workers — more than 500 full-time workers and 300 part-time employees to MANUALLY examine every screen shot and listen to every minute of every phone conversation, at a cost of more than $7M.

BCBS said it is now encrypting all data on 1,000 Windows, AIX, SQL, VMware and Xen server hard drives; 6,000 workstation hard drives and removable media drives; 136,000 tape backup volumes; and 25,000 voice call recordings per day.

The company said it inventoried all the places data resides, including computer hard drives, servers and removable media devices, such as USB drives and CD/DVD burners.

BCBS completed the encryption project in just over a year.

“We searched the country and were unable to find another company that has achieved this level of data encryption,” Michael Lawley, vice president of technology shared services for BCBS, said in a statement.

In addition to the encryption, BCBS adopted even stricter policies and procedures. “Our members can rest easier knowing we implemented this process to better protect their privacy,” Lawley added.

BlueCross’ 57 hard drives were stolen from a leased facility in Chattanooga. So far, there is no indication of any misuse of personal data from the stolen hard drives, the company said.

In the wake of the theft, BCBS sent out alerts to just over one million current and former members. BlueCross also offered some of those affected by the theft free Equifax credit monitoring service.

“The lessons we learned from the theft led us to go above and beyond current industry standards, and our team has worked tirelessly to put new safeguards in place and encrypt all our at-rest data,” said Nick Coussoule, senior vice president and chief information officer for BlueCross.

So, let’s tally up the costs: $7M to try and limit the initial data breach and another $6M expended to (try and) ensure it doesn’t happen again: that’s a total of $13M for a single instance of a data breach. You’re thinking there has to be a better way? There is. It’s called 256-bit AES encryption from Venyu that protects data during backups, storage and restore transfers.

 And now YOU know the rest of the story.