If you’re like the majority of “card-carrying adults,” you literally have cards that demonstrate your status as a grown up. Your wallet most likely contains a driver’s license, a credit card or two, a health insurance card, and any number of membership or loyalty cards. Each card represents a unique relationship between you and a government entity, a medical coverage provider, a financial institution, or some other organization.

With all the news of record-setting numbers of data breaches, we may instantly think about those relationships being compromised. But what happens when the physical card itself is the source of the security leak?

A company in New York has just experienced that exact situation. Newkirk Products is an Albany-based company that produces the physical cards that consumers carry in their wallets. Most of Newkirk’s clients are health insurance providers, specifically several states’ Blue Cross Blue Shield agencies, as well other insurance providers. Unfortunately, their servers were hacked last May, and clients’ information was compromised.

Newkirk Products hired forensic tech investigators to determine exactly what information was stolen. Fortunately, personal details like Social Security numbers were not breached, but all of the data that would go on a physical card—names, policy numbers, group numbers, and birthdates—was accessed. While Social Security numbers are highly sought after pieces of personal identifiable information, having the info that a medical insurance card offers allows the hackers to use or sell medical identities online.

Medical identity theft might seem like an unlikely cause for concern, but the reality is it makes up a significant number of victim reports each month to the Identity Theft Resource Center’s 24-hour toll-free help line. It occurs when someone uses your identity to receive medical treatment, prescription drugs, or other related services, incorporating the thief’s medical condition into your medical record. That can actually result in life-threatening complications if you later receive care for a condition that you don’t have.

Newkirk’s new owners are in the process of notifying cardholders whose information was compromised, and will be offering them two years of identity protection despite the fact that financial details were not stolen in the breach. It is still a good idea for anyone who’s potentially been the victim of medical identity theft to speak up and inform their healthcare provider and pharmacy of the breach; this may help ensure that their records only contain valid medical information.

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.