BCBS Associate Hack Shows How a Company Properly Deals With Stolen Consumer Information
In August of 2016, Newkirk Products, Inc., a provider of managed services and ID cards to a number of BlueCross BlueShield organizations, announced it had discovered a breach of one of its servers that contained information about more than 3.3 million individuals. The breached server had protected health information (PHI) on it.
The moment Newkirk realized that a breach had occurred, they shut down the affected server and hired an outside computer forensics company to perform an investigation.
Newkirk Products made ID cards for the following BlueCross BlueShield organizations:
- BlueCross and BlueShield of Kansas City
- BlueCross BlueShield of North Carolina
- BlueCross BlueShield of Western New York
- BlueShield of Northeastern New York
- Capital District Physicians’ Health Plan, Inc.
- HealthNow New York Inc.
In addition, Newkirk provided management services for the following healthcare entities:
- DST Health Solutions, Inc.
- Gateway Health Plan
- Highmark Health Options
- Johns Hopkins Employer Health Programs, Inc.
- Priority Partners Managed Care Organization
- Uniformed Services Family Health Plan
- West Virginia Family Health
Newkirk noted in a press release that all of these organizations had some member data breached. Although highly sensitive data such as social security numbers and other financial data as well as health insurance details were not a part of the information subjected to the breach, the following data was exposed:
- Name and address;
- Date of birth;
- Type of health plan;
- Member ID number;
- Group ID number;
- Premium invoice information (no payment information)
- Name of primary care doctor; and
- Names of dependents covered under the plan
While Newkirk Products continues to investigate how the breach occurred, it has reported that to date, there is no evidence that any of the breached data has been used inappropriately.
Newkirk Products was purchased by Broadridge Financial Solutions for $410 million. The breach at Newkirk was found only five days after the sale. Because of the costs of resolving the breach, coupled with the company sale, it is anticipated the cost will exceed the estimated cost of $355 per exposed record reported by the Ponemon Institute earlier this year.
Newkirk Products Does the Right Thing
Even though no misuse of the breached data occurred, Newkirk Products took immediate action once the breach was discovered. They notified all consumers whose data was breached, so they could be on alert as to any incidents regarding their identity being improperly used, as well as providing identity theft protection services for two years.
This data breach is the third largest in the healthcare industry in 2016. Another $3 million plus breach was announced just days before the Newkirk breach at Banner Health, an Arizona-based health network. In July 2016, a $9.3 million record cyberattack took place at a health insurer whose identity has not yet been disclosed by authorities.
Consumer Data Must Be Protected
Every company that collects personal identifying information, personal health information, and personal financial information has a responsibility to keep the data they store secure. In nearly every instance of data collection, there is a federal or state agency that mandates how this data is protected. Failure to comply can lead to very large fines. In healthcare, the Department of Health and Human Services (HHS) Office of Civil Rights (OCR) is responsible for enforcement of HIPAA privacy laws. They have fined two hospitals in early summer 2016 for HIPAA violations to the tune of more than $2 million. Failure to protect can be expensive.
To prevent data breaches, companies need to inform and educate employees that they should never open an email or download an email attachment from an unknown party. In the same manner, no one should ever download information from a site that is not known to them. Doing these two simple things helps prevent systems from falling victim to malware and ransomware.
In organizations that follow the protocol of Bring Your Own Device (BYOD), users must be inculcated with the need for strong password protection of the device in the event it is lost or stolen. However, 98 percent of healthcare breaches come from hackers.
Many companies turn to a managed services security provider (MSSP) for help in keeping data safe.
Slivertip IT is the trusted choice when it comes to staying ahead of the latest information technology tips, tricks and news. Contact us at (425) 998-9199 or send us an email at email@example.com.
“Cameron, Thank you SO MUCH for all your hard work getting back up and running so quickly. This is a bit of a hellish week for me so your help made all the difference.”-Melanie Workhoven – Director of Marketing – Master Builders Assocation