On 11 May 2016, an unauthorized party gained access to a server maintained by Newkirk Products, Inc. — a company that prints and mails health insurance identification cards for numerous US health insurance plans including Blue Cross Blue Shield affiliates, Highmark, and others. The breach exposed data for approximately 3.4 million health plan members across multiple insurers. Exposed data included names, addresses, dates of birth, member identification numbers, group identification numbers, insurance plan information, and primary care provider information. Social Security numbers and financial information were not included in the exposed data. Newkirk Products notified affected health plans beginning in August 2016, and the health plans notified their affected members. Multiple HHS OCR breach notifications were filed by the affected health plans. The breach demonstrated the supply chain risk inherent in the healthcare ecosystem — a single vendor providing ID card printing services to multiple health insurers could expose members from numerous organizations through a single breach of the vendor’s infrastructure.