Skip to Content
Crime And Courts

Contractor data breach nay have exposed the protected health info of thousands of Central Oregonians

Deschutes County Health Services
By
Published 11:19 am

BEND, Ore. (KTVZ) -- Thousands of Central Oregonians soon will receive letters in the mail to inform them of a data breach at TriZetto Provider Solutions last fall that may have exposed the personal health information of more than 700,000 people around the country.

TPS is a third-party contractor that provides insurance-eligibility verification services to health care providers, including Deschutes County Health Services (DCHS), Best Care, and the La Pine Community Health Center (LCHC), the organizations said in a joint news release Thursday. 

They stressed that the data breach occurred only in TriZetto’s environment and did not involve or compromise any Deschutes County, Best Care, or La Pine Community Health Center systems.

Here are the details

What happened?

In October, TriZetto Provider Solutions discovered suspicious activity in one of its web portals. Upon discovering the issue, TPS launched an investigation and took steps to eliminate the threat.

Experts determined that, starting in November 2024, an unauthorized actor began accessing historical eligibility reports stored on the TPS system. The affected reports contain information about health insurance eligibility transactions, including certain protected health information (PHI) of patients and primary policyholders.

TPS reports that the threat was eliminated on Oct. 2, but may have exposed the PHI of more than 700,000 people.

DCHS, LCHC and Best Care were notified about the data breach on Dec. 10. Since then, staff from all three agencies have been working diligently to verify which clients/patients may have been impacted by the incident.

What data was exposed?

Data exposed during this breach varies, but may include names, addresses, dates of birth, Social Security numbers, health insurer name, health insurance member numbers and provider names. The incident did not include any medical diagnosis or treatment information, nor did it include any payment card or bank account information.

What are DCHS, LCHC and Best Care doing?

TriZetto Provider Solutions informed DCHS, LCHC and Best Care that it plans to notify exposed clients/patients about the breach in February. However, because confidentiality, privacy, and security of personal health information are among the highest priorities for all three agencies, and to avoid any further delay in offering protections, DCHS, LCHC and Best Care are sending their own notifications.

LCHC will notify approximately 1,200 of its patients, DCHS will notify approximately 1,300 clients/patients, and Best Care will notify approximately 1,650 clients/patients that their protected health information was exposed during the breach. 

It is important to note that while client PHI was accessed, there is no evidence at this time that it has been misused.  

Additionally, each agency is offering exposed clients/patients identity theft protection through a data breach and recovery services contractor, IDX. The free identity protection services include 12 months of credit and CyberScan monitoring, a $1 million insurance reimbursement policy, and fully managed identity theft recovery services.

Article Topic Follows: Crime And Courts

Jump to comments ↓

KTVZ

BE PART OF THE CONVERSATION

KTVZ is committed to providing a forum for civil and constructive conversation.

Please keep your comments respectful and relevant. You can review our Community Guidelines by clicking here

If you would like to share a story idea, please submit it here.