Health Share of Oregon discloses data breach, theft of member PII

A break-in and stolen laptop are at the heart of the security incident.

One of the largest data leaks ever traced back to Wawa's 2019 malware attack
1:02

A burglary and stolen laptop from GridWorks IC, a vendor hired by Health Share of Oregon, has led to the exposure of Medicaid member data. 

On Wednesday, Health Share of Oregon, the state's largest Medicaid coordinated care organization (CCO), said that on January 2, 2020, the organization's contracted non-emergent medical transportation (Ride to Care) vendor GridWorks suffered a break-in, of which the effects have now been felt down the supply chain. 

See also: Toll Group shuts down IT systems in response to 'cybersecurity incident'

On November 18, 2019, GridWorks' office was broken into and a laptop stolen in the raid contained the personally identifiable information (PII) of 654,362 members. 

Information contained on the laptop included names, addresses, phone numbers, dates of birth, Social Security numbers, and Medicaid ID numbers. This data can now be considered as potentially compromised but the CCO says that no personal medical histories were involved in the data breach. 

The CCO serves Medicaid members in Clackamas, Multnomah, and Washington counties. 

Due to the nature of the theft, Health Share of Oregon is not able to confirm what happened to the laptop and information contained therein, including whether or not the records have been utilized or sold. 

CNET: Russians engaging in ongoing 'information warfare,' FBI director says

Letters are being mailed to everyone involved in the incident and one year of free credit monitoring is on offer. 

The Medicaid provider says that annual audits with its contractors will be "expanded" and training will be improved, "ensuring that all transmission of patient information is kept to the minimum necessary to perform required duties."

TechRepublic: How to defend your organization against the latest malware, botnets and security exploits

"We are ensuring that members, partners, regulators, and the community are made fully aware of this issue," said Maggie Bennington-Davis, Health Share of Oregon MD and interim CEO. "We are committed to providing the highest quality service to our members, which includes protecting their personal information."

Black Book Market Research estimates that healthcare-related data breaches in the United States cost the industry $4 billion last year. In a survey of close to 3,000 IT professionals, 96 percent of respondents said that cyberattackers' expertise and resources are outpacing the capabilities of medical organizations to protect themselves.

Another recent data breach of note has impacted the business operations of Toll. In January, the Australian logistics company suffered a "cybersecurity incident" which has led to the shutdown of customer-facing services and deliveries. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0