Personal information for 3.3 million health insurance customers was compromised when a server for a company that creates ID cards for payers was accessed without authorization.
The company, Albany, New York-based Newkirk Products Inc., announced the breach on Friday. Newkirk creates ID cards for more than 10 health insurance companies both directly and through its relationship as a service provider to Birmingham, Alabama-based DST Health Solutions Inc.
Newkirk discovered the breach on July 6 and believes the unauthorized access began on May 21. It notes that affected data includes:
- Member names
- Mailing addresses
- Member and group ID numbers
- Types of plans for individuals
- Names of dependents enrolled in plans
- Primary care providers
Some birthdates, premium invoice information and Medicaid ID numbers also were compromised. No Social Security numbers, banking or credit card information was on the server, according to Newkirk, which is sending letters to individuals impacted, and is paying for two years of identity theft protection through AllClearID.
Roughly 790,000 current and former members of Blue Cross and Blue Shield of Kansas City are among those affected, the Kansas City Star reports. Blue KC spokeswoman Kelly Cannon told the Star that people who were issued a card between Sept. 2, 2012, and July 7, 2016, were impacted, and that they will be contacted about the breach.
Business associates of HIPAA-covered entities are under increasing scrutiny from the Department of Health and Human Services Office for Civil Rights. Earlier this summer, HHS announced its first ever HIPAA settlement with a business associate, Catholic Health Care Services of the Archdiocese of Philadelphia, which provided management and information technology services to six skilled nursing facilities.