Third Party Security Controls – BlueCross BlueShield Of Tennessee

Due to the risk of harm to the Tennessee Valley Authority (TVA) from the loss or breach of private information held by a third party, we performed an audit of BlueCross BlueShield of Tennessee’s (BCBST) security controls.  Our audit objective was to determine if BCBST has controls in place to meet contract requirements for the protection of data held by the vendor on behalf of TVA.

We determined that BCBST has controls in place to meet the contract requirements for the protection of data held on behalf of TVA.  However, we identified wording in the contract that could be improved to avoid potential confusion.  TVA management agreed with our finding and incorporated improvements into the contract amendment effective January 1, 2026.