A company that issues health care ID cards for Blue Cross and Blue Shield of Kansas City and other insurers said it had experienced a data breach that may affect more than 400,000 Missouri policyholders.
Newkirk Products Inc. said the breached data varied by plan but generally only included information found on members’ ID cards.
Kelly Cannon, a spokeswoman for Blue Cross and Blue Shield of Kansas City, said financial and medical information was not exposed.
“What I think is really important to point out in all of this is it did not include Social Security numbers, dates of birth, banking or credit card information or any kind of medical or insurance claims information,” she said.
“It only included member name, mailing address, type of health plan and other things that are found on the actual member card. So the information was actually limited.”
The Missouri Department of Insurance released a statement Friday saying that the information of up to 411,786 Blue Cross and Blue Shield of Kansas City members may have been exposed by the breach. It also said that Newkirk had no evidence that any of the breached data, including names, group ID numbers and primary care providers, had been used inappropriately.
Newkirk said it discovered the breach on July 6 when it found that a computer server with member information was accessed without authorization. It said the breach may have occurred as early as May 21.
Cannon said that Blue Cross was notified of the breach on July 7, when Newkirk was in the initial stages of its investigation.
“So we had to wait to find out who had been affected and what exactly had happened before we started notifying people,” she said.
Newkirk was formerly part of Kansas City-based DST Systems but was acquired on July 1 by Broadridge Financial Solutions. Newkirk acted as a service provider to DST Health Solutions, a DST subsidiary, and several insurance plans were affected by the data breach through that relationship.
Affected policyholders will get a letter from Newkirk offering two years of free identity-theft protection. They can also call 1-855-303-9773.
Last month, another Missouri health care provider, Midwest Orthopedics Group in Farmington, Missouri, reported that 48,000 of its records had been hacked in a cyberattack.
In that case the compromised information included names, dates of birth, addresses, Social Security numbers, Medical diagnoses, laboratory test results, medical records, and possibly also financial information.
Dan Margolies, editor of the Heartland Health Monitor team, is based at KCUR. You can reach him on Twitter @DanMargolies.