Data of 12 payers at risk after a vendor hack

A vendor in the healthcare insurance industry has been hacked in a major data security incident that could affect a dozen payers.

The cyber attack could affect about 3.3 million individuals, according to a spokesperson for the vendor, NewKirk Products.

NewKirk issues identification cards for insurance plans. On July 6, the company discovered a server containing information on members of payer organizations was accessed without authorization, according to a statement. An investigation found access was first made on May 21.

Affected insurers include Blue Cross and Blue Shield of Kansas City, Blue Cross Blue Shield of North Carolina, HealthNow New York, BlueCross BlueShield of Western New York, BlueShield of Northeastern New York, Capital District Physicians’ Health Plan, Gateway Health Plan, Highmark Health Options, West Virginia Family Health, Johns Hopkins Employer Health Programs, Priority Partners Managed Care Organization and Uniformed Services Family Health Plan.

John Huff, director of the Missouri Department of Insurance, in a statement said information on 411,786 members of Blue Cross Blue Shield of Kansas City were potentially exposed and encouraged monitoring of banking and other financial accounts.

Data at risk includes member names, addresses, types of plan, member and group ID numbers, dependents enrolled in a plan and primary care physicians. In some cases, dates of birth, premium invoice information and Medicaid ID numbers also were compromised.

Social Security numbers, banking information, medical information and claims information were not compromised.

NewKirk Products is offering affected individuals two years of identity protection and restoration services through AllClear ID.

Since the giant breach of Anthem in February 2015, health insurance companies have generally been diligent in addressing security vulnerabilities of the data in their houses, particularly clinical, population health and Social Security data, notes Pat Kennedy, president of PJ Consulting, which specializes in payer IT issues.

They’ve also been careful in monitoring vendor security processes, and have been pushing hard on their core vendors, Kennedy adds. Now, however, the Newkirk breach shows more work needs to be done in other areas, such as enrollment data.

“Payers spend a lot of time focused on firewalls and monitoring vendor protections, but haven’t gotten to everyone yet,” he notes. “They have to start looking closer at the more minor vendors.”

For reprint and licensing requests for this article, click here.