25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Posted By on Feb 7, 2020

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks.

GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members.

Health Share’s HIPAA compliance policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers.

The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Health Share conducts security audits of its vendors and last audited GridWorks in March 2019. In response to the breach, Health Share will expand its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is transmitted to its vendors. Training policies have also been enhanced.

In October 2019, Health Share announced that the nonprofit health plan, CareOregon, would be taking over the administration of its Ride to Care program. GridWorks had failed to pay several transportation companies that provided transport under the Ride to Care program. The company went into receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully transferred to CareOregon.

Update 02/19/2020: The HHS breach portal indicates 654,362 individuals were impacted by the breach.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist