Health Share of Oregon Notifies 654,000 Members About Business Associate Data Breach

Oregon’s Medicaid coordinated-care organization, Health Share of Oregon, is notifying approximately 654,000 current and former members that some of their protected health information (PHI) was stored on a laptop computer stolen from its transportation vendor, GridWorks.

GridWorks was contracted to manage Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its members.

Health Share’s policies require business associates to use encryption on all portable devices containing patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer included names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security numbers.

The laptop was stolen in a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share started sending notification letters on February 5 to all individuals whose PHI was stored on the laptop. Affected individuals have been offered one year of complimentary credit monitoring and identity theft protection services.

Health Share conducts security audits of its vendors and last audited GridWorks in March 2019. In response to the breach, Health Share will expand its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is transmitted to its vendors. Training policies have also been enhanced.

In October 2019, Health Share announced that the nonprofit health plan, CareOregon, would be taking over the administration of its Ride to Care program. GridWorks had failed to pay several transportation companies that provided transport under the Ride to Care program. The company went into receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully transferred to CareOregon.

Update 02/19/2020: The HHS breach portal indicates 654,362 individuals were impacted by the breach.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.