Oregon computer theft spurs patient privacy lawsuit

When a thief broke into a Providence Health System employee's car and stole a bag containing a laptop on Dec. 31, 2005, along with the computer disappeared tapes and disks containing the Social Security numbers and protected health information of 365,000 patients in Oregon and Washington.

In January patients filed a state class-action lawsuit against Providence alleging that the health system had failed to safeguard the data as required by HIPAA and thus violated Oregon's Unfair Trade Practices Act. Oregon Attorney General Hardy Myers is also investigating whether Providence violated the act.

Although the employee involved was not a doctor, the medical community says the case raises a red flag about the practices that hospitals and even physicians have in place that might put them at risk for running afoul of patient confidentiality laws.

"The good news is that lessons will be learned, and this [incident] shows the need for more stringent policies with regard to records handling," said Jennifer Hanscom, spokeswoman for the Washington State Medical Assn.

HIPAA security and information technology experts advise doctors to take appropriate safeguards.

Rosemarie Nelson, a principal consultant for the Medical Group Management Assn., said she had observed a lot of "HIPAA paranoia" about incidental activities, such as walking down the hall with a patient chart, that aren't cause for worry, when doctors should be concerned about more risky practices such as backing up information over the Internet, outsourcing transcription or taking information home.

"More groups are recognizing that transporting information in a locked bank bag is more protected," she said.

Many doctors carry mobile devices such as PDAs or laptops, which are a target for theft, said Tom Walsh, a Kansas-based information technology consultant who specializes in HIPAA security. Doctors use them more frequently to transport and download patient information between their offices and hospitals, often without simple protections such as a password, he said.

Doctors need to ask, "How are you going to defend yourself in a court of law when you chose to go with less security?" he warned.

The Oregon incident is the biggest breach of health information in that state, according to Jim Kronenberg, chief operating officer of the Oregon Medical Assn., which has cooperated with Providence to inform physicians whose information also might have been stolen.

Although the OMA does not have a position on the lawsuit, Kronenberg said doctors historically had fought to protect patient confidentiality.

The stolen data were about Providence Home Services' patients. The medical community says it is routine for home health employees to carry laptops and backup information at home because they are traveling to visit patients.

But the lawsuit, filed in the Multnomah County Circuit Court, questions whether Providence complied with federal HIPAA regulations as required by state law. The complaint alleges that the company had been negligent in handling the records and had failed to encrypt the data adequately to protect patients' health information and identity.

"Under the state's Unlawful Trade Practices Act, patients have the right to expect that the relationship and the transaction is confidential and will be safeguarded by HIPAA," said lead plaintiff's attorney David Sugerman, partner at Paul & Sugerman PC in Portland, Ore.

A delay in notification

Patients did not find out until three weeks after the theft that their information had been stolen because Oregon does not have a security breach notification law requiring companies to alert consumers when their confidential information is compromised. Twenty-three states had passed security breach notification laws as of January 2006, according to Public Interest Research Groups, a network of independent, state, citizen-funded organizations.

Without such a law to follow, Sugerman said, it would be up to a jury to determine whether Providence took "reasonable" action to notify its consumers about the breach.

"I'm sure jurors would agree this wasn't it," he said, "and I don't think it will be a problem convincing a jury that Providence acted negligently." He added that no investigation by the U.S. Dept. of Health and Human Services Office of Civil Rights had been initiated.

The state attorney general's office said its investigation also centers on the question of whether Providence violated the trade practices act.

"One of our most significant concerns is the time which Providence took to notify consumers," said Oregon AG spokesman Kevin Neely. He added that Myers is working with the Oregon Legislature to pass a security breach notification law in 2007.

On Jan. 23, Providence sent letters to patients notifying them of the incident. Spokesman Gary Walker explained that it took the company time to identify patient names and the type of information that was taken, and to set up a hotline and a Web site for assistance.

"Our decision was to do the right thing, which was to notify patients," Walker said. Providence has cooperated with the attorney general's investigation, he added.

Experts say there are two components to a possible HIPAA violation: privacy and security. A privacy violation would be an unauthorized disclosure of confidential information. A security violation would be inadequate protection of the information.

The theft in Oregon could constitute both a privacy and a security failure, Walsh said, and the violation would stem from the health care worker's negligence.

Providence argues that the incident does not constitute a privacy violation because it was not an intentional disclosure of the protected health information.

Walker declined to comment on the lawsuit but said, "The procedure in place for Providence Home Services was not in line with the policy of Providence Health System for secure transport to a secure offsite location."

To date, Providence said, there have been no verified reports that the stolen data have been accessed. The health system has provided a free service with Kroll Inc. that will monitor patients' credit.