CareOregon and Health Share of Oregon have notified certain patients about a data breach and potential insurance fraud. Andover Eye Associates has identified a breach of its email environment.

CareOregon and Health Share of Oregon

CareOregon and Health Share of Oregon have notified certain patients about unauthorized access to some of their protected health information. It is unclear from the phrasing of the notice whether this was an insider breach or if data was accessed by an external actor. The data breach notice states that, “On October 27, 2025, we learned that one or more people looked at your information without permission.” Social Security numbers and financial information were not accessed. The data viewed and potentially obtained was limited to first and last names, dates of birth, health plan information, Medicaid/Medicare numbers, and primary care provider office.

The notice states that there may have been data misuse, warning that the information may have been used to create fake insurance claims. CareOregon and Health Share of Oregon said they were unable to determine if any specific patient’s information had been misused. The affected individuals have been reminded that CareOregon and Health Share of Oregon do not bill for covered health care services, and informed the affected individuals that they will not receive a bill even if their data has been misused to file a fake insurance claim. Individuals who receive a letter detailing the services that they should have received should check the letter carefully and report back if there are any listed services that have not been provided.

Law enforcement has been notified, an investigation has been conducted, and the identified issue has been fixed. Further, CareOregon and Health Share of Oregon have changed how individuals’ information can be viewed, and the staff have been retrained. There is currently no breach report on the HHS’ Office for Civil Rights breach portal at present, so it is unclear how many individuals have been affected.

Andover Eye Associates

Andover Eye Associates in Andover, Massachusetts, has experienced an email security incident that exposed the data of 1,638 patients. Suspicious activity was identified in two employee email accounts on June 10, 2025. An investigation was launched, which confirmed that an unauthorized third party gained access to the accounts on May 28, 2025. No other employee email accounts were affected.

The email accounts were reviewed, and on November 4, 2025, Andover Eye Associates confirmed that the accounts contained patient names and Social Security numbers. Additional training has been provided to the workforce, and additional safeguards are being implemented to improve email security. Notification letters have been mailed to the affected individuals who have been offered complimentary credit monitoring services for 12 months.

The post CareOregon and Health Share of Oregon Warn of Potential Insurance Fraud After Data Breach appeared first on The HIPAA Journal.