A Medicaid coordinated-care organization in Oregon is notifying hundreds of thousands of members about a break-in and data breach that took place at its transportation vendor.
A laptop containing health and demographic information of roughly 650,000 current and former Health Share of Oregon members was stolen from GridWorks' office in November. That information included members' names, addresses, phone numbers, dates of birth, Social Security numbers and Medicaid ID numbers, but no health histories.
The GridWorks laptop was not encrypted, according to Health Share, despite the fact Health Share requires all business associates who handle protected health information to encrypt their devices.
Health Share contracts with GridWorks to provide its members with transportation to non-emergency medical appointments through Health Share's Ride to Care program. A Health Share spokesperson said the organization decided not to renew its contract with GridWorks last year, prior to learning about the data breach.
Health Share, which said it learned about the data beach in January, mailed letters alerting its members about the incident Wednesday.
There's no evidence to suggest the person who stole the laptop has found or used members' health information, according to Health Share.
"Though the theft took place at an external vendor, we take our members' privacy and security very seriously," Dr. Maggie Bennington-Davis, Health Share's interim CEO and chief medical officer, said in a statement. "We are committed to providing the highest quality service to our members, which includes protecting their personal information."
Health Share said moving forward it plans to expand annual audits with contractors and ensure patient information shared with contractors is kept to the minimum amount necessary.
Health Share's most recent audit of GridWorks' security was in March.
GridWorks said it has improved its electronic and physical security in response to the incident.
"GridWorks IC deeply regrets any concern or inconvenience this incident may cause, and remains committed to protecting the confidentiality and security of the information it maintains," the company said in a statement.
This isn't the first time Health Share has faced trouble with GridWorks.
GridWorks last year reportedly failed to pay transportation companies that provided rides to Health Share members in October and November. In December, the Multnomah County Circuit Court in Oregon placed GridWorks into receivership, or management by a third-party, as a result of financial difficulties at the company, according to the Portland Business Journal.
A Health Share spokesperson said the organization is in the midst of transitioning administration of the Ride to Care program from GridWorks to not-for-profit health plan CareOregon.