CareOregon Data Breach Exposes Personal Information of Over 5,000 Medicaid Members
CareOregon, Oregon’s largest Medicaid insurer serving approximately 500,000 low-income residents, disclosed a data breach affecting 5,473 members in late December 2025 two months after the incident was discovered. The breach, which occurred between late May and October 2025, involved unauthorized access to sensitive personal information, including names, dates of birth, Medicaid and Medicare numbers, health plan details, and primary care provider information. Social Security numbers were not compromised.
The breach was detected on October 17, 2025, though the exact cause whether internal or external remains unclear. CareOregon notified affected members on December 26, warning that the exposed data could be used to file fraudulent insurance claims. While the organization stated there was no evidence of misuse, it advised members to disregard any unexpected bills from CareOregon or its affiliates, including Health Share of Oregon, Jackson Care Connect, and Columbia Pacific.
The compromised data was limited to health-related information, reducing the risk of financial account fraud but still posing a threat to insurance fraud. CareOregon reported the incident to law enforcement and implemented corrective measures, including system fixes, access restrictions, and staff retraining. Affected members may receive letters listing health services they should have received and are encouraged to verify their records.
The breach adds to a growing trend of healthcare sector cyber incidents, with over 57 million individuals affected by similar breaches in 2025 alone, according to the HIPAA Journal.
CareOregon cybersecurity rating report: https://www.rankiteo.com/company/careoregon
Columbia Psychiatry cybersecurity rating report: https://www.rankiteo.com/company/columbiapsychiatry
CareOregon cybersecurity rating report: https://www.rankiteo.com/company/careoregon
"id": "CARCOLCAR1768343725",
"linkid": "careoregon, columbiapsychiatry, careoregon",
"type": "Breach",
"date": "10/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '5,473',
'industry': 'Healthcare',
'location': 'Oregon, USA',
'name': 'CareOregon',
'size': '500,000 members',
'type': 'Nonprofit Health Insurer'},
{'customers_affected': '4,415',
'industry': 'Healthcare',
'location': 'Portland, Oregon, USA',
'name': 'Health Share of Oregon',
'type': 'CareOregon Affiliate'},
{'industry': 'Healthcare',
'location': 'Jackson County, Oregon, USA',
'name': 'Jackson Care Connect',
'type': 'CareOregon Affiliate'},
{'industry': 'Healthcare',
'location': 'Clatsop, Columbia, and Tillamook '
'counties, Oregon, USA',
'name': 'Columbia Pacific',
'type': 'CareOregon Affiliate'}],
'customer_advisories': 'Affected members notified via letter, urged to check '
'credit reports and monitor for fraud',
'data_breach': {'number_of_records_exposed': '5,473',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'Moderate (PII but no Social Security '
'numbers or financial data)',
'type_of_data_compromised': ['Names',
'Dates of birth',
'Medicaid/Medicare numbers',
'Health plan information',
'Primary care provider details']},
'date_detected': '2024-10-17',
'date_publicly_disclosed': '2024-12-26',
'description': 'CareOregon, which serves about 500,000 low-income residents '
'on the Oregon Health Plan, notified more than 5,000 people in '
'December that their information had been ‘viewed’ and could '
'be used to file fake claims. The breach occurred between late '
'May and late October 2024, with unauthorized access to '
'personal information including names, dates of birth, '
'Medicaid and Medicare numbers, health plan information, and '
'primary care provider details.',
'impact': {'data_compromised': 'Names, dates of birth, Medicaid/Medicare '
'numbers, health plan information, primary '
'care provider details',
'identity_theft_risk': 'Moderate (potential for fake insurance '
'claims)',
'payment_information_risk': 'None (Social Security numbers not '
'exposed)'},
'investigation_status': 'Ongoing',
'motivation': 'Insurance Fraud',
'post_incident_analysis': {'corrective_actions': 'Changed access controls, '
're-trained staff'},
'recommendations': ['Monitor financial information for fraudulent activity',
'Review health service claims for discrepancies',
'Obtain free credit reports annually'],
'references': [{'source': 'The Lund Report'},
{'source': 'HIPAA Journal'},
{'source': 'Oregon Department of Justice'}],
'regulatory_compliance': {'regulations_violated': ['HIPAA'],
'regulatory_notifications': 'Reported to Oregon '
'Department of Justice'},
'response': {'communication_strategy': 'Letter to affected members, public '
'notice via Oregon Department of '
'Justice',
'containment_measures': 'Investigated and fixed the issue, '
'changed how information can be viewed',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'remediation_measures': 'Re-trained staff'},
'stakeholder_advisories': 'Members advised to monitor for fraudulent activity '
'and report discrepancies in health service claims',
'title': 'CareOregon Data Breach',
'type': 'Data Breach'}