Newkirk Products, a company that makes health plan enrollee cards, says it believes one of its servers may have been accessed without authorization.
The Albany, New York-based company says it discovered signs of a server breach July 6 and shut the server down that day.
The first unauthorized access took place in May, the company says.
Related: Lawyer on HIPAA Phase 2 audits: Take the rules seriously
The list of carriers that use Newkirk cards includes Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, HealthNow New York Inc., and several affiliates of Highmark. The carriers provide or administer health coverage for about 3.3 million people.
Newkirk has not indicated what kind of entity might have got into its server without authorization, and the company has not described the nature of the suspected unauthorized access.
“The data potentially subject to unauthorized access varies by plan but includes some combination of: the member’s name, mailing address, type of plan, member and group ID number, names of dependents enrolled in the plan, primary care provider, and in some cases, date of birth, premium invoice information and Medicaid ID number,” the company says in a press release announcing the suspected data breach. “The server did not contain Social Security numbers, banking or credit card information, medical information or any insurance claims information.”
“No health plans’ systems were accessed or affected in any way,” Newkirk says.
Newkirk has no evidence that the data on the server has been used inappropriately, the company says.
Broadridge Financial Solutions, a Lake Success, New York, company, acquired Newkirk from DST Systems of Kansas City, Missouri, July 1.