JESSICA KIM COHEN February 06, 2020
A Medicaid coordinated-care organization in
Oregon is notifying hundreds of thousands of members about a break-in and data
breach that took place at its transportation vendor.
A laptop containing health and demographic
information of roughly 650,000 current and former Health Share of Oregon
members was stolen from GridWorks' office in November. That information
included members' names, addresses, phone numbers, dates of birth, Social
Security numbers and Medicaid ID numbers, but no health histories.
The GridWorks laptop was not encrypted,
according to Health Share, despite the fact Health Share requires all business
associates who handle protected health information to encrypt their devices.
Health Share contracts with GridWorks to provide
its members with transportation to non-emergency medical appointments through
Health Share's Ride to Care program. A Health Share spokesperson said the
organization decided not to renew its contract with GridWorks last year, prior
to learning about the data breach.
Health Share, which said it learned about the
data beach in January, mailed letters alerting its members about the incident
Wednesday.
There's no evidence to suggest the person who stole
the laptop has found or used members' health information, according to Health
Share.
"Though the theft took place at an external
vendor, we take our members' privacy and security very seriously," Dr.
Maggie Bennington-Davis, Health Share's interim CEO and chief medical officer,
said in a statement. "We are committed to providing the highest
quality service to our members, which includes protecting their personal
information."
Health Share said moving forward it plans to
expand annual audits with contractors and ensure patient information shared
with contractors is kept to the minimum amount necessary.
Health Share's most recent audit of GridWorks'
security was in March.
GridWorks said it has improved its electronic
and physical security in response to the incident.
"GridWorks IC deeply regrets any concern or
inconvenience this incident may cause, and remains committed to protecting the
confidentiality and security of the information it maintains," the company
said in a statement.
This isn't the first time Health Share has faced
trouble with GridWorks.
GridWorks last year reportedly failed to pay
transportation companies that provided rides to Health Share members in October
and November. In December, the Multnomah County Circuit Court in Oregon placed
GridWorks into receivership, or management by a third-party, as a result of
financial difficulties at the company, according to the Portland Business Journal.
A Health Share spokesperson said the
organization is in the midst of transitioning administration of the Ride to
Care program from GridWorks to not-for-profit health plan CareOregon.
No comments:
Post a Comment