Newkirk Products Data Breach Impacts 3.3 Million Individuals

The recently announced Newkirk Products data breach impacts at least 13 health insurers and healthcare providers, and reportedly affects as many as 3.3 million health plan subscribers and healthcare patients.

The Newkirk Products data breach was announced just five days after ownership of the company was transferred to Broadridge Financial Solutions for $410 million. The purchasing of Newkirk was completed on July 1, with the breach being discovered on July 6, 2016.

Numerous Blue Cross Blue Shield Organizations and Healthcare Providers Affected

Upon discovery of the Newkirk Products data breach, the affected server was isolated and shut down and an external computer forensics firm was brought in to investigate the intrusion. The firm determined that an unauthorized individual had first gained access to a computer server containing ePHi on May 21, 2016. The investigation into the breach is ongoing, although affected individuals are now being notified of the breach by mail.

Blue Cross and Blue Shield of Kansas City was notified that 790,000 members had been impacted, although other affected healthcare organizations have yet to confirm how many of their patients were impacted. In the case of Blue Cross and Blue Shield of Kansas City, only its Blue KC members were affected.

Other healthcare organizations impacted by the breach include Blue Cross Blue Shield of North Carolina, BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, Capital District Physicians’ Health Plan, Inc., DST Health Solutions, Inc., Gateway Health Plan, HealthNow New York Inc., Highmark Health Options, Johns Hopkins Employer Health Programs, Inc., Priority Partners Managed Care Organization, Uniformed Services Family Health Plan, and West Virginia Family Health.

Affected individuals may have had the following data elements exposed or accessed by the intruder: Name, date of birth, mailing address, health plan type, group ID number, member ID number, premium information, primary care provider name, Medicaid ID number, and names of dependents included on the health plan. No Social Security numbers, health insurance membership IDs, bank account details, or credit/debit card numbers were compromised.

Newkirk Products has not received any reports of any data being used inappropriately. However, because there a risk that data were accessed and stolen and that individuals’ data may be used for nefarious purposes, all affected individuals are being offered two years of identity theft monitoring and resolution services without charge.

Newkirk Products Data Breach Third Largest Confirmed Healthcare Breach of 2016

The Newkirk Products data breach is the third largest healthcare data breach of 2016, and the second largest confirmed data breach. In the year to date, the following multi-million record healthcare data breaches have been discovered:

Healthcare Entity Records Breached Breach Details
Unconfirmed health insurer 9.3 Million Records Hacked, and data posted online by TheDarkOverlord
Banner Health Network 3.7 Million Records Hacking
Newkirk Products Inc. 3.3 Million Records Hacking
21st Century Oncology 2.2 Million Records Hacking

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news