Oregon’s Medicaid coordinated-care group, Health Share of Oregon, is getting in touch with around 654,000 current and former subscribers to make them aware that a portion of their protected health information (PHI) was saved on a laptop computer which was illegally taken from its transportation vendor, GridWorks.
GridWorks was hired to operate Health Share’s Ride to Care program, through which Health Share provided non-emergent transportation for its account holders.
Health Share’s policies obligate business associates to use encryption on all portable devices that hold patient information but, for reasons unknown, the GridWorks laptop was not encrypted. PHI stored on the laptop computer incorporated names, addresses, contact telephone numbers, birth dates, Health Share ID numbers, Medicaid numbers, and Social Security details.
The laptop was taken during a burglary at GridWorks’ office in November 2019. GridWorks notified Health Share about the laptop theft on January 2, 2020. Health Share began issuing notification letters on February 5 to all people whose PHI was stored on the laptop. Affected individuals have been offered one year of free credit monitoring and identity theft protection services.
Health Share carries out security audits of its vendors and last audited GridWorks in March 2019. As a reaction to the breach, Health Share will grow its vendor security audit program and steps have been taken to ensure only the minimum amount of patient information is shared with its vendors. Training policies have also been bolstered.
During October 2019, Health Share revealed that the nonprofit health plan, CareOregon, would be taking over the management of its Ride to Care program. GridWorks had failed to pay several transportation firms that supplied transport under the Ride to Care program. The company entered receivership in December 2019 and will cease operations once the administration of the Ride to Care program has been fully moved to CareOregon.