HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

3.3 Million Record Breach Reported by BCBS Vendor

A business associate of several Blue Cross Blue Shield organizations has discovered an unauthorized individual has gained access to a computer server containing the protected health information of close to 3.3 million individuals.

New York-based Newkirk Products Inc., a provider of ID card and management services, discovered the intrusion on July 6, 2016. The affected server was immediately shut down and an external computer forensics firm was brought in to conduct an investigation. That investigation revealed that its systems were first breached on May 21, 2016.

Newkirk Products provides management services to the following healthcare organizations:

  • DST Health Solutions, Inc.
  • Gateway Health Plan
  • Highmark Health Options
  • Johns Hopkins Employer Health Programs, Inc.
  • Priority Partners Managed Care Organization
  • Uniformed Services Family Health Plan
  • West Virginia Family Health

Newkirk Products also produces ID cards for the following healthcare organizations:

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

  • Blue Cross and Blue Shield ofKansas City
  • Blue Cross Blue Shield of North Carolina
  • BlueCross BlueShield ofWestern New York
  • BlueShield ofNortheastern New York
  • Capital District Physicians’ Health Plan, Inc.
  • HealthNow New York Inc.

According to a press release issued by Newkirk Products on Friday, all of these organizations have been affected.


Affected individuals had some or all of the following data exposed: Name, mailing address, date of birth, health plan type, member ID number, group ID number, premium invoice information, primary care provider name, Medicaid ID number, and the names of any dependents also enrolled on members’ health plans. Highly sensitive data such as Social Security numbers, health insurance details, and financial information were not exposed as a result of the breach. Blue Cross and Blue Shield of Kansas City was one of the worst hit, with approximately 790,000 of its Blue KC members impacted by the breach.

Newkirk Products is still investigating the breach, although at this stage no evidence has been uncovered to suggest any data have been used inappropriately. All affected individuals are being notified by mail and are being offered 24 months of complimentary identity theft monitoring and resolution services.

The breach was discovered just five days after the company was acquired by Broadridge Financial Solutions in a $410 million deal. The discovery of the breach means that cost will be considerably higher. The 2016 Cost of a Data Breach Report issued by the Ponemon Institute earlier this year suggests healthcare data breach resolution costs have risen to $355 per exposed record.

Broadridge Financial Solutions, Inc., reported that the breach was discovered before data and systems were incorporated in its own systems and the only clients affected by the breach are those who did business with Newkirk Products.

This is the third largest healthcare data breach discovered in 2016, and the second 3 million record+ healthcare data breach reported in the past week. The news comes just a few days after the announcement of a potential 3.7 million record breach at Phoenix, Arizona-based healthcare network Banner Health, and just over a month after a 9.3 million-record cyberattack on an as-of-yet undisclosed health insurer.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.