1 min read

CareOregon notifies members after personal health information breach

Picture of Mara Ellis Mara Ellis February 26, 2026

News
CareOregon notifies members after personal health information breach

According to a December 26, 2025, notification, on October 27, 2025, CareOregon and Health Share of Oregon discovered that one or more unauthorized individuals had accessed some members’ personal information without permission.

 

What happened

The notification followed an initial member update from December 22, 2025. The potentially exposed data included members’ first and last names, dates of birth, health plan information, Medicaid ID numbers, Medicare ID numbers (if applicable), and primary care provider offices. Social Security numbers and financial information were not accessed.

Earlier in 2025, CareOregon issued another HIPAA breach notice for an improper mismailing of member information. That breach was reported to OCR on May 30, 2025 and affected 1,786 individuals. The recent incident now marks the second breach impacted CareOregon and its patients.

 

What was said

According to the initial member update for the most recent breach, “Health Share/CareOregon recently experienced a data breach that has impacted some of our members’ personal health information. Those who are affected by this breach will receive a letter in the mail explaining what happened.”

 

The big picture

The data breach fits into the year-end wave of incidents that the pair of 2025 CareOregon breaches fall under like the AllerVie Health Network and the Oracle Health-related breaches. While the AllerVie attack involved ransomware and sensitive identifiers, Social Security numbers and financial information were not exposed.

Notifications for CareOregon’s second breach came slightly later than AllerVie’s, aligning with the same December timeframe when healthcare organizations were actively alerting patients and members about breaches discovered earlier in the fall.

Compared to the broader Oracle Health incident, which impacted data across roughly 80 hospitals and included detailed clinical and medical record information, both of CareOregon’s breaches were more targeted, affecting specific member records rather than wide institutional networks.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

 

FAQs

What is a data breach?

A data breach occurs when unauthorized individuals gain access to sensitive information such as personal or health data.

 

Are organizations required to notify individuals after a data breach?

Yes, most jurisdictions and laws, such as HIPAA in healthcare, require organizations to notify affected individuals when their sensitive information is exposed.

 

How long does it take to detect a data breach?

Detection time varies widely; some breaches are discovered within days, while others may go unnoticed for months or even years.
Send PHI securely—No portals required. The all-in-one email security suite for healthcare. HIPAA compliant email with Google and Microsoft.

Subscribe to Paubox Weekly

Every Friday we bring you the most important news from Paubox. Our aim is to make you smarter, faster.