BlueCross BlueShield of Western New York announced on Friday that one of its third-party service providers, Newkirk Products, Inc., was the subject of a cybersecurity attack.
Newkirk has been partnered with BlueCross BlueShield since October 2014 to produce and mail subscriber information cards. According to a press release, the ID card images of about 230,000 BlueCross BlueShield subscribers were accessed without permission. The information on these cards likely included name, mailing address, type of plan and subscriber number.
No Social Security numbers, date of birth, financial information, medical information or any insurance claims were accessed, according to the release.
BlueCross BlueShield said it will notify all impacted current and former subscribers by U.S. Postal mail with information on two years of free identity protection and restoration services through AllClear ID.
“Maintaining the privacy and security of our members’ personal information is one of our highest priorities,” the release said. “We are focused on helping our members through this situation with the information and support they need.”
The company’s problems began when Newkirk discovered on July 6 that a server containing member information was accessed, according to a separate statement. Newkirk shut down the server and hired a third party forensic investigator to determine the extent of the unauthorized access. Officials also notified federal law enforcement.
Although the investigation is ongoing, it appears that the unauthorized access began on May 21.
There is no evidence available at this time that the data has been used inappropriately.