Oregon computer theft spurs patient privacy lawsuit

The case poses questions about a common practice of transporting medical information.

By Amy Lynn Sorrel — Posted March 6, 2006

Print  |   Email  |   Respond  |   Reprints  |   Like Facebook  |   Share Twitter  |   Tweet Linkedin

When a thief broke into a Providence Health System employee's car and stole a bag containing a laptop on Dec. 31, 2005, along with the computer disappeared tapes and disks containing the Social Security numbers and protected health information of 365,000 patients in Oregon and Washington.

In January patients filed a state class-action lawsuit against Providence alleging that the health system had failed to safeguard the data as required by HIPAA and thus violated Oregon's Unfair Trade Practices Act. Oregon Attorney General Hardy Myers is also investigating whether Providence violated the act.

Although the employee involved was not a doctor, the medical community says the case raises a red flag about the practices that hospitals and even physicians have in place that might put them at risk for running afoul of patient confidentiality laws.

"The good news is that lessons will be learned, and this [incident] shows the need for more stringent policies with regard to records handling," said Jennifer Hanscom, spokeswoman for the Washington State Medical Assn.

HIPAA security and information technology experts advise doctors to take appropriate safeguards.

Rosemarie Nelson, a principal consultant for the Medical Group Management Assn., said she had observed a lot of "HIPAA paranoia" about incidental activities, such as walking down the hall with a patient chart, that aren't cause for worry, when doctors should be concerned about more risky practices such as backing up information over the Internet, outsourcing transcription or taking information home.

"More groups are recognizing that transporting information in a locked bank bag is more protected," she said.

Many doctors carry mobile devices such as PDAs or laptops, which are a target for theft, said Tom Walsh, a Kansas-based information technology consultant who specializes in HIPAA security. Doctors use them more frequently to transport and download patient information between their offices and hospitals, often without simple protections such as a password, he said.

Doctors need to ask, "How are you going to defend yourself in a court of law when you chose to go with less security?" he warned.

The Oregon incident is the biggest breach of health information in that state, according to Jim Kronenberg, chief operating officer of the Oregon Medical Assn., which has cooperated with Providence to inform physicians whose information also might have been stolen.

Although the OMA does not have a position on the lawsuit, Kronenberg said doctors historically had fought to protect patient confidentiality.

The stolen data were about Providence Home Services' patients. The medical community says it is routine for home health employees to carry laptops and backup information at home because they are traveling to visit patients.

But the lawsuit, filed in the Multnomah County Circuit Court, questions whether Providence complied with federal HIPAA regulations as required by state law. The complaint alleges that the company had been negligent in handling the records and had failed to encrypt the data adequately to protect patients' health information and identity.

"Under the state's Unlawful Trade Practices Act, patients have the right to expect that the relationship and the transaction is confidential and will be safeguarded by HIPAA," said lead plaintiff's attorney David Sugerman, partner at Paul & Sugerman PC in Portland, Ore.

A delay in notification

Patients did not find out until three weeks after the theft that their information had been stolen because Oregon does not have a security breach notification law requiring companies to alert consumers when their confidential information is compromised. Twenty-three states had passed security breach notification laws as of January 2006, according to Public Interest Research Groups, a network of independent, state, citizen-funded organizations.

Without such a law to follow, Sugerman said, it would be up to a jury to determine whether Providence took "reasonable" action to notify its consumers about the breach.

"I'm sure jurors would agree this wasn't it," he said, "and I don't think it will be a problem convincing a jury that Providence acted negligently." He added that no investigation by the U.S. Dept. of Health and Human Services Office of Civil Rights had been initiated.

The state attorney general's office said its investigation also centers on the question of whether Providence violated the trade practices act.

"One of our most significant concerns is the time which Providence took to notify consumers," said Oregon AG spokesman Kevin Neely. He added that Myers is working with the Oregon Legislature to pass a security breach notification law in 2007.

On Jan. 23, Providence sent letters to patients notifying them of the incident. Spokesman Gary Walker explained that it took the company time to identify patient names and the type of information that was taken, and to set up a hotline and a Web site for assistance.

"Our decision was to do the right thing, which was to notify patients," Walker said. Providence has cooperated with the attorney general's investigation, he added.

Experts say there are two components to a possible HIPAA violation: privacy and security. A privacy violation would be an unauthorized disclosure of confidential information. A security violation would be inadequate protection of the information.

The theft in Oregon could constitute both a privacy and a security failure, Walsh said, and the violation would stem from the health care worker's negligence.

Providence argues that the incident does not constitute a privacy violation because it was not an intentional disclosure of the protected health information.

Walker declined to comment on the lawsuit but said, "The procedure in place for Providence Home Services was not in line with the policy of Providence Health System for secure transport to a secure offsite location."

To date, Providence said, there have been no verified reports that the stolen data have been accessed. The health system has provided a free service with Kroll Inc. that will monitor patients' credit.

Back to top


Case at a glance

Russell Gibson and William Weiller, DDS, individually and on behalf of other similarly situated individuals v. Providence Health System

Venue: Multnomah County Circuit Court, Oregon
At issue: Whether employees failed to protect patient information as required by HIPAA privacy and security regulations, and whether the alleged negligent behavior constitutes a violation of the state's Unfair Trade Practices Act.
Potential impact: The medical community says the case raises concerns over physicians' and hospitals' practices with regard to handling protected patient information.

Back to top

External links

Providence Health System on patient data theft (link)

Back to top



Read story

Confronting bias against obese patients

Medical educators are starting to raise awareness about how weight-related stigma can impair patient-physician communication and the treatment of obesity. Read story

Read story


American Medical News is ceasing publication after 55 years of serving physicians by keeping them informed of their rapidly changing profession. Read story

Read story

Policing medical practice employees after work

Doctors can try to regulate staff actions outside the office, but they must watch what they try to stamp out and how they do it. Read story

Read story

Diabetes prevention: Set on a course for lifestyle change

The YMCA's evidence-based program is helping prediabetic patients eat right, get active and lose weight. Read story

Read story

Medicaid's muddled preventive care picture

The health system reform law promises no-cost coverage of a lengthy list of screenings and other prevention services, but some beneficiaries still might miss out. Read story

Read story

How to get tax breaks for your medical practice

Federal, state and local governments offer doctors incentives because practices are recognized as economic engines. But physicians must know how and where to find them. Read story

Read story

Advance pay ACOs: A down payment on Medicare's future

Accountable care organizations that pay doctors up-front bring practice improvements, but it's unclear yet if program actuaries will see a return on investment. Read story

Read story

Physician liability: Your team, your legal risk

When health care team members drop the ball, it's often doctors who end up in court. How can physicians improve such care and avoid risks? Read story

  • Stay informed
  • Twitter
  • Facebook
  • RSS
  • LinkedIn