Active breach tracker OR Disclosed December 26, 2025

CareOregon Data Breach 2025: 5,473 Medicaid Members Affected · Unauthorized Access · OR. Filed With HHS OCR. What To Do.

CareOregon and Health Share of Oregon notified 5,473 Oregon Health Plan members after discovering on October 27, 2025 that one or more individuals viewed member information without permission. Exposed data included names, dates of birth, Medicaid/Medicare ID numbers, health plan information, and primary care provider office. The plan warned of possible insurance-fraud misuse.

You have options. Scroll for the exact action steps, what your provider’s response covers, and what your health data needs beyond credit monitoring.

By HealthConsent Editorial Last updated Sources & methodology

Timeline

Oct 27, 2025

CareOregon and Health Share of Oregon learned that one or more individuals had viewed member information without permission.

Oct 27, 2025

Breach detected

Dec 22, 2025

CareOregon posted a member update announcing that affected members would be notified by mail.

Dec 26, 2025

Formal notice of data event issued; HHS OCR breach notification associated with this date.

Dec 26, 2025

Disclosed publicly

Data exposed

01

High-risk identity

Enables financial + identity theft

Date of birth

03

Contact & insurance

Phishing + targeted scams

First and last name Health plan information Medicaid ID number Medicare ID number (if applicable) Primary care provider office
If you received a letter

Your action plan, in five steps.

You have more rights than the notification letter explains. Each step below is a concrete thing you can do today. Full detail and timing in the sections that follow.

01

Accept credit monitoring

It’s the floor of the response. Take it.

02

Freeze your credit

Free at Equifax, Experian, TransUnion.

03

File IRS Form 14039

Prevent fraudulent tax return under your SSN.

04

Review your EOBs

Insurance statements catch medical identity theft early.

05

Stop the ongoing flow

Credit monitoring doesn’t cover your health records. HealthConsent does.

Jump to step 5: protect my health data

CareOregon, the Medicaid managed-care organization that administers benefits for roughly half a million Oregon Health Plan members, notified 5,473 individuals in December 2025 that their personal health information had been viewed without authorization. The plan learned of the unauthorized access on October 27, 2025 and issued formal notices on December 26, 2025, jointly with Health Share of Oregon, the coordinated care organization through which CareOregon delivers Medicaid benefits in the Portland metro area.

In its notice, CareOregon told members the information may have been used to file fake insurance claims. The plan said it was unable to determine whether any specific member’s information had in fact been misused.

Timeline

  • October 27, 2025 — CareOregon and Health Share of Oregon learn that one or more individuals viewed member information without permission.
  • December 22, 2025 — CareOregon publishes a member update announcing that letters will go out to affected members.
  • December 26, 2025 — Formal notice of data event issued; this is the date associated with the HHS OCR breach filing.

What was exposed

According to CareOregon’s notice and corroborating press coverage, the information viewed and potentially obtained was limited to:

  • First and last name
  • Date of birth
  • Health plan information
  • Medicaid ID number
  • Medicare ID number, where applicable
  • Primary care provider office

CareOregon stated that Social Security numbers and financial information were not accessed.

A sensitive population: Medicaid members

CareOregon is the largest Medicaid managed-care plan in Oregon and one of three risk-bearing entities under Health Share of Oregon, which coordinates Oregon Health Plan benefits for residents of Multnomah, Washington, and Clackamas counties. Members are, by definition, low-income, and many depend on the plan for primary care, behavioral health, and dental coverage.

A breach exposing Medicaid ID numbers carries a specific risk profile that differs from a typical commercial-insurance breach. Medicaid IDs can be used to bill fraudulent claims against state Medicaid programs, and members generally lack the ability to detect that misuse through routine financial monitoring. The plan’s own notice acknowledged that the information could be used to create fake insurance claims.

Credit monitoring and fraud assistance

CareOregon’s public member update and notice of data event do not announce complimentary credit-monitoring services. The plan directs members to its customer service line at 503-334-4134 to confirm whether they were among those affected and to update mailing addresses. If your individual notification letter offers monitoring or remediation, the terms in the letter govern.

Class action and litigation status

At least one plaintiffs’ firm, Cole & Van Note, has publicly announced a class-action investigation tied to the CareOregon breach. As of the date of this page, no filed complaint has been publicly identified. We will update this page if and when a complaint is filed and docket information becomes available.

What to do if you may be affected

  • Check your mail. Notification letters were sent to the address CareOregon has on file. If your address has changed or you are unable to receive mail, call Health Share/CareOregon Customer Service at 503-334-4134 to confirm your status and update your address.
  • Review Medicaid Explanation of Benefits or claims activity. Because the exposed information could be used to file fraudulent insurance claims, watch for services or providers you do not recognize on any Medicaid claim summaries you receive. Report suspected Medicaid fraud to the Oregon Department of Human Services fraud hotline.
  • Freeze your credit anyway. Although Social Security numbers were not reported as part of this breach, a credit freeze with the three nationwide consumer reporting agencies is free, takes about ten minutes per bureau, and remains the single highest-leverage step against identity theft if your information was exposed in any other incident.
  • Be alert to phishing. Threat actors sometimes follow public breach notices with phone calls or texts impersonating the breached organization. CareOregon will not ask you for your Social Security number, full date of birth, or financial account information to “verify” your breach status.
  • Bookmark this page. We update it as new information becomes publicly available, including any class-action filings, OCR portal updates, or supplemental notices.

Sources on this page

Stop your data from spreading further

Credit monitoring covers your wallet. HealthConsent covers your health records.

Your stolen diagnoses, test results, and medical record numbers don’t expire when the free credit-monitoring window ends. HealthConsent automates HIPAA restriction requests and opt-outs across providers, insurers, HIEs, and prescription networks so the data taken in this breach can’t keep being shared and sold by other entities downstream.

Protect my health data

Cancel anytime · Family plan covers spouses + dependents

About this page

This page is compiled from public regulatory filings, the breached entity’s own disclosures, and reporting from established healthcare-privacy outlets. Some sections are assembled with the help of automated research and may contain errors, summaries that lag the underlying source, or details that have since been revised. Treat it as a starting point, not legal advice or an authoritative record. If you spot something inaccurate, the linked sources above are the canonical record. For questions about your individual situation, contact the breached entity directly or consult a licensed attorney.