On July 6, 2016, Newkirk Products, Inc., a company that makes healthcare ID cards and billing statements for CDPHP and other health insurers, discovered that a computer server storing client information was accessed without authorization. According to Newkirk, the records were first accessed on May 21. Newkirk disclosed the data breach on August 5.
Over half a million CDPHP users may have been affected, as well as 70,000 BlueShield members. Information that may have been accessed through the Newkirk server includes names, mailing addresses, and dates of birth. Newkirk is offering two years of free identity protection and restoration services and recommends you "be vigilant against incidents of identity theft" and report "suspicious or fraudulent charges" to CDPHP.
Healthcare Security Breaches: Why Should You Care?
According to the Office of the Inspector General, "Medical identity theft occurs when someone steals your personal information (like your name, Social Security number, or Medicare number) to obtain medical care, buy drugs, or submit fake billings to Medicare in your name. Medical identity theft can disrupt your life, damage your credit rating, and waste taxpayer dollars. The damage can be life-threatening to you if wrong information ends up in your personal medical records." Having your information stolen or easily accessible to potential thieves can have a monumental negative impact on your peace of mind and overall quality of life.
Who is liable for the data breach?
Hospitals and health care providers have a statutory duty under New York State and federal law to protect the personal data and confidential health information of patients, including electronically stored health information. Federal regulations include the HIPAA Privacy Rule and Security Rule. Many health care providers contract with business associates such as data management companies to store and manage patient records. These record custodians are also subject to potential liability for data breaches.
What Should You Do?
The laws regarding cyber-security are still relatively new and case law is developing in the courts. Insurance coverage for damages caused by data breaches is often contested by insurers. Because of this, if you have been the victim of a data breach or believe you may be, whether or not your information has been used in a criminal way, it is important to contact an attorney with a background in cyber security.