A service provider that issues the healthcare ID cards for several health insurance companies, including BlueCross BlueShield of Western New York (BCBS), is warning customers of a data breach of one of its servers.
Newkirk Products, Inc. provides cards for the following companies, either directly or through its former owner DST Systems, Inc.:
- Blue Cross and Blue Shield of Kansas City
- Blue Cross Blue Shield of North Carolina
- HealthNow New York Inc.
- BlueCross BlueShield of Western New York
- BlueShield of Northeastern New York
- Capital District Physicians' Health Plan, Inc. (CDPHP)
- Gateway Health Plan
- Hghmark Health Options
- West Virginia Family Health
- Johns Hopkins Employer Health Programs, Inc.
- Priority Partners Managed Care Organization
- Uniformed Services Family Health Plan
In a statement from the company, Newkirk wrote that the breach did not affect any of the health plans' servers. This includes BCBS.
The breach was discovered on July 6, and Newkirk now believes the unauthorized access first happened on May 21, 2016. Upon discovery, the server was shut down and Newkirk hired a third-party forensic investigator to determine how much of customers' data had been put at risk.
Newkirk determined the server that was breached did not contain social security numbers. It also did not contain banking or credit card information, medical information, or insurance claim information. However, Newkirk did find that the server breached contained customers' names, mailing addresses, member IDs and group numbers, and in some cases the Medicaid ID number.
Newkirk is in the process of mailing letters to customers impacted. Those letters will include a thorough investigation of the incident and an offer for two years of free identity protection.
Anyone who needs assistance navigating this incident can call the company's assistance line at 1-855-303-9773. The company is offering two years of free identity theft protection to those affected.
Newkirk was sold to Broadridge Financial Solutions in July of 2016. None of Broadridge's servers were affected by this breach.