Federal regulators are now choosing "business associates" to review for HIPAA data security compliance. (Photo: Thinkstock)

Newkirk Products, a company that makes health plan enrollee cards, says it believes one of its servers may have been accessed without authorization.

The Albany, New York-based company says it discovered signs of a server breach July 6 and shut the server down that day.

The first unauthorized access took place in May, the company says.

Related: Lawyer on HIPAA Phase 2 audits: Take the rules seriously

The list of carriers that use Newkirk cards includes Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, HealthNow New York Inc., and several affiliates of Highmark. The carriers provide or administer health coverage for about 3.3 million people.

Newkirk has not indicated what kind of entity might have got into its server without authorization, and the company has not described the nature of the suspected unauthorized access.

“The data potentially subject to unauthorized access varies by plan but includes some combination of: the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number,” the company says in a press release announcing the suspected data breach. “The server did not contain Social Security numbers, banking or credit card information, medical information or any insurance claims information.”

“No health plans’ systems were accessed or affected in any way,” Newkirk says. 

Newkirk has no evidence that the data on the server has been used inappropriately, the company says.

Broadridge Financial Solutions, a Lake Success, New York, company, acquired Newkirk from DST Systems of Kansas City, Missouri, July 1. 

DST says, in a report filed with the U.S. Securities and Exchange Commission, that the incident affected a DST server that Newkirk was using after DST sold Newkirk to Broadridge. 

The Newkirk network has not yet been tied to the Broadridge network, and there is no evidence that the unauthorized access has affected the Broadridge network, or that it has affected any other Newkirk systems, Newkirk says.

Insurance regulators in Missouri and Kansas say Newkirk is offering Kansas City Blue enrollees two years of identity protection and restoration services.

The news of the suspected breach comes as the Office for Civil Rights at the U.S. Department of Health and Human Services is trying focus the attention of health insurers, insurance agents and benefit plan administrators on federal health data security rules.

The Health Insurance Portability and Accountability Act of 1996 classifies health care providers and health insurers as “covered entities” that must meet strict HIPAA health information privacy, data security and breach notification rules. The covered entities are supposed to have “business associate” agreements in place with any agents or vendors that get and use the protected health information the covered entities hold.

 

Related:

3 reasons HIPAA audits might not be that bad

Lawyer: HIPAA auditors may target ‘good citizen’ entities

Have you followed us on Facebook?