On May 17, 2024, the Multnomah County Health Department announced to 1,092 clients of its Health Center clinics that their protected health information may have been compromised. The County communicated that names, medical record numbers, Medicaid IDs, as well as clients' dates of birth, gender, race, and ethnicity could have been accessed by a former employee who neglected to return a County-issued laptop.
“While we do not believe that Social Security numbers or drivers’ license numbers were accessed, we take this situation very seriously,” said a representative from Multnomah County. This breach affects clients who have visited various health center locations, and those receiving notifications are advised to enroll in a complimentary identity theft protection service provided by the County.
The incident dates back to March 4, 2024, when the Health Department terminated a staff member from the Community Health Center. Despite being dismissed, the former employee failed to return their laptop as mandated. Although the individual had legitimate access to the information while employed, their authorization ceased upon termination.
“This is a regrettable breach of trust,” emphasized a County spokesperson. “Once the employee was dismissed, appropriate access to client data should have ended.” The County’s IT Security team became aware of the situation on April 24, 2024, when an anti-malware system flagged suspicious activity on the laptop.
Investigators quickly determined that the dismissed employee was still using a computer operating under their previous credentials, despite their network account and access rights having been revoked. The laptop contained two spreadsheets that held sensitive health information.
In response, the County swiftly sent a command to remotely wipe the laptop’s data if it connected to the internet again. “Our priority was to secure client information and identify those who might be affected,” said a member of the County’s IT team. “We are taking strong measures to ensure this does not happen again.” The County initiated a process to notify affected clients about the breach and provide support services.
In addition to alerting clients, Multnomah County filed a police report with the Portland Police Bureau regarding the former employee's refusal to return the laptop, with the case number being 24-107-327. “We will pursue every avenue to ensure that our clients’ information is safe and secure,” the spokesperson added.
Looking Ahead
To avoid similar incidents in the future, the Health Department and IT leaders are enhancing technical protocols and training related to County-issued devices. “We are taking a comprehensive approach,” said a County IT official, “including reinforcing the guidelines regarding the retrieval of equipment from departing employees.” The County is also integrating new technologies designed to limit unauthorized access to computers.
Currently, there is no evidence suggesting that the data accessed has been misused. Nevertheless, the County is urging anyone who receives a notification letter to take action by enrolling in the free IDX Once identity theft protection program. Clients can bolster their protection with fraud alert services from the three main credit bureaus, which allows them to receive complimentary credit reports.
Clients interested in identity protection services can enroll through a provided link, by contacting 1-800-939-4170, or by scanning the QR code included in their notification letter. “We are here to assist our clients during this crucial time,” reassured a county representative. “It is important that they know the steps they can take to protect their information.”
Looking Ahead
As investigations continue and measures are implemented to prevent future breaches, this incident has raised important discussions about data security within health services. With ongoing support and a focus on improving systems, Multnomah County aims to reclaim the trust of its clients and reinforce the integrity of its health information systems.
