Dedicated to providing the latest
HIPAA compliance news

3.3 Million Record Breach Reported by BCBS Vendor

Share this article on:

A business associate of several Blue Cross Blue Shield organizations has discovered an unauthorized individual has gained access to a computer server containing the protected health information of close to 3.3 million individuals.

New York-based Newkirk Products Inc., a provider of ID card and management services, discovered the intrusion on July 6, 2016. The affected server was immediately shut down and an external computer forensics firm was brought in to conduct an investigation. That investigation revealed that its systems were first breached on May 21, 2016.

Newkirk Products provides management services to the following healthcare organizations:

  • DST Health Solutions, Inc.
  • Gateway Health Plan
  • Highmark Health Options
  • Johns Hopkins Employer Health Programs, Inc.
  • Priority Partners Managed Care Organization
  • Uniformed Services Family Health Plan
  • West Virginia Family Health

Newkirk Products also produces ID cards for the following healthcare organizations:

  • Blue Cross and Blue Shield ofKansas City
  • Blue Cross Blue Shield of North Carolina
  • BlueCross BlueShield ofWestern New York
  • BlueShield ofNortheastern New York
  • Capital District Physicians’ Health Plan, Inc.
  • HealthNow New York Inc.

According to a press release issued by Newkirk Products on Friday, all of these organizations have been affected.

 

Affected individuals had some or all of the following data exposed: Name, mailing address, date of birth, health plan type, member ID number, group ID number, premium invoice information, primary care provider name, Medicaid ID number, and the names of any dependents also enrolled on members’ health plans. Highly sensitive data such as Social Security numbers, health insurance details, and financial information were not exposed as a result of the breach. Blue Cross and Blue Shield of Kansas City was one of the worst hit, with approximately 790,000 of its Blue KC members impacted by the breach.

Newkirk Products is still investigating the breach, although at this stage no evidence has been uncovered to suggest any data have been used inappropriately. All affected individuals are being notified by mail and are being offered 24 months of complimentary identity theft monitoring and resolution services.

The breach was discovered just five days after the company was acquired by Broadridge Financial Solutions in a $410 million deal. The discovery of the breach means that cost will be considerably higher. The 2016 Cost of a Data Breach Report issued by the Ponemon Institute earlier this year suggests healthcare data breach resolution costs have risen to $355 per exposed record.

Broadridge Financial Solutions, Inc., reported that the breach was discovered before data and systems were incorporated in its own systems and the only clients affected by the breach are those who did business with Newkirk Products.

This is the third largest healthcare data breach discovered in 2016, and the second 3 million record+ healthcare data breach reported in the past week. The news comes just a few days after the announcement of a potential 3.7 million record breach at Phoenix, Arizona-based healthcare network Banner Health, and just over a month after a 9.3 million-record cyberattack on an as-of-yet undisclosed health insurer.

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On