The Multnomah County Health Department today began notifying 1,092 Health Center clients that their protected health information may have been accessed.
Clients are being informed that their names, medical record numbers, Medicaid IDs, dates of birth, gender, race, ethnicity, clinic and dates of service may have been accessed by a former employee who has refused to return a County-issued computer. The clients’ Social Security numbers and drivers’ license numbers were not accessed.
The breach impacts clients seen at different health center locations. Affected clients who receive a letter should enroll in a free identity theft protection program offered by the County and stay informed.
No other Multnomah County clients are involved in the breach, nor are any other Multnomah County information systems impacted.
How the breach occurred
The breach dates to March 4, 2024, when the Health Department dismissed a Community Health Center staff member who then failed to return their County-issued laptop as required. Although the information saved on the laptop was appropriate for the former employee to possess as part of their job, the individual was no longer authorized to access the information after leaving the County.
The former employee’s network account, email, and clinical systems access to medical records system had been properly disabled upon their termination. However, on April 24, 2024, one of Multnomah County’s anti-malware systems raised an alert about suspicious activity on the computer.
The County’s Information Technology Security team immediately identified that the computer was being used by an employee who had been dismissed, and they began investigating. The operating system on the computer had allowed the employee to log-in to the computer using their previous account. Investigators also learned that two spreadsheets containing protected health information had remained saved on the laptop.
The County remotely sent a command that would securely erase the laptop’s contents if it connects to the internet again. In addition, staff immediately began working to identify affected clients, line up support services and take steps to notify them of the breach.
The County also filed a police report with the Portland Police Bureau (case number 24-107-327) after the dismissed employee ignored repeated demands that the laptop be returned.
What is being done to prevent this from happening again?
The Health Department and IT leaders also took steps to strengthen technical protocols and training around County-issued computers to prevent similar events in the future. All Health Center supervisory staff are being reminded of the steps to retrieve County equipment when an employee leaves a position. County IT is also adding new technical capabilities to help prevent unauthorized access for a given computer.
At this time, there is no indication the clients’ information has been misused, but the County is urging everyone who receives a notification letter to enroll in the free IDX Once identity theft protection plan. Clients can also receive free fraud alert services from the three major credit bureaus. Placing fraud alerts will provide clients with added credit protection and give them access to copies their credit reports at no cost to them.
Clients can enroll in identity protection services at this link, by calling 1-800-939-4170, or scanning the QR image in their notification letter. IDX representatives are available Monday through Friday from 6 a.m. to 6 p.m. Pacific Time.