PHI of 654,000 Members of Health Share of Oregon Potentially Compromised in a Business Associate Data Breach

Health Share of Oregon, the Medicaid coordinated-care provider in Oregon, began informing around 654,000 present and past members about the stolen laptop computer from GridWorks, its transportation vendor. The laptop computer contained some of their protected health information (PHI).

GridWorks was hired to handle the Ride to Care program of Health Share. This program by Health Share provided non-emergent means of transport for its members.

It is the policy of Health Share to require business associates to have encryption on all portable devices containing patient data. However, for some reason, GridWorks did not encrypt its laptop. The PHI that was stored on the laptop included names, contact phone numbers, addresses, birth dates, Medicaid numbers, Health Share ID numbers, and Social Security numbers.

The laptop computer was stolen in November 2019 during a burglary at the office of GridWorks. On January 2, 2020, GridWorks informed Health Share about the stolen laptop. On February 5, Health Share began mailing notification letters to all people who had their PHI saved on the laptop computer. Health Share also offered 12-months free complimentary credit monitoring and identity theft protection services to the affected people.

Health Share subjects its vendors to security audits. The last audit of GridWorks was in March 2019. Because of the breach, Health Share is going to increase its vendor security audit program and take measures to make sure that vendors only get the minimum amount of patient data. Health Share also improved its policies on training employees.

In October 2019, Health Share made an announcement about CareOregon’s take over of the administration of the Ride to Care program. CareOregon is a nonprofit health plan. GridWorks did not pay a number of transportation providers that supplied transportation according to the Ride to Care program. In December 2019, GridWorks went into receivership and is going to stop operations after the full transfer of the administration of the Ride to Care program to CareOregon.

Author: Joe Murray

Joe Murray is the Editor-in-Chief of HIPAA 101, where he leads the writing team in delivering high-quality news and insights on HIPAA regulations. With over 15 years of experience in healthcare journalism, Joe has established himself as a trusted writer. At HIPAA 101, Joe is dedicated to providing healthcare professionals and administrative staff with accurate, timely, and comprehensive information to help them navigate the complexities of HIPAA.