BlueCross BlueShield business associate breach puts data of 3.3 million at risk

Newkirk Products, a provider of identification cards for insurance carriers, including BlueCross BlueShield, on Friday reported a data breach that may have exposed the personal information of 3.3 million members of insurance plans.

According to the report, no health plan systems were accessed or affected.

On July 6, Newkirk discovered a server had been accessed without authorization and was immediately shut down, the company reported. It opened an investigation through a third-party forensic investigator to determine the extent of the breach. The first unauthorized access occurred on May 21, 2016.

[Also: 'Dark Overlords' suspected in Athens Orthopedic Clinic data breach]

The server didn't contain social security numbers, banking information or medical data, according to Newkirk officials. But depending on the plan, the names, dates of birth, names of dependents, primary care providers, invoice information, Medicaid ID numbers and addresses of patients were part of the accessed data.

The company mailed letters to those affected by the incident, which explains the extent of the breach and offers two years of free identity protection. Federal law enforcement has been contacted and the forensic investigation is ongoing.

[Also: Massachusetts General Hospital hit with data breach affecting 4,300 patients]

Newkirk was part of Broadridge Financial Solutions' $410 million purchase of DST Systems' North America customer communications on July 1. According to the Newkirk's website, Broadridge Financial Solutions network wasn't compromised.

The company provides insurance cards to Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, HealthNow New York, Inc. and Capital District Physicians' Health Plan.

This article first appeared in Healthcare IT News.

Twitter: @JessiefDavis