November 9, 2007
The Oregonian
By Joe Rojas-Burke
A Multnomah County judge has tossed out a proposed class-action lawsuit seeking compensation for tens of thousands of people whose confidential records were stolen from Providence Health & Services in Oregon.
Judge Marilyn Litzenberger struck the claims for damages, concluding that the nonprofit hospital corporation had already reasonably compensated the affected patients and employees and corrected the security problems. The parties received the opinion Thursday.
The data theft -- the largest recorded in Oregon -- occurred Jan. 1, 2006, when a car prowler broke into a van parked overnight at the Milwaukie home of a Providence employee who had left computer disks and data tapes in the van. The records, some going back 20 years, contained sensitive data including Social Security numbers and medical information for 365,000 people. The records were stored without protective encryption.
The ensuing uproar triggered a state investigation and helped convince lawmakers to enact stronger privacy protections in Oregon.
Admitting no violation of law, Providence agreed last year to pay more than $95,000 to the state Department of Justice to cover the expenses of the state's investigation into the security breach.
Lawyers seeking to represent the patients and employees filed suit in Multnomah County Circuit Court on Jan. 30, 2006.
Providence officials said the judge's decision Thursday validates the company's handling of the theft.
"The judge ruled in our favor on all of the points," said Russ Danielson, Providence's Oregon region chief executive. "Our top priority from the beginning was to support and protect our patients."
David Sugerman, one of the attorneys leading the class-action suit, called the ruling disappointing.
"We think Oregon law is very clear that when medical information is compromised there is a claim," Sugerman said. The threat of legal action, he said, may have pushed Providence to offer more help to people whose records were stolen.
"In a sense, whatever protection patients got came as a result of this lawsuit," Sugerman said.
Providence's Danielson scoffed at that claim.
"Nothing Mr. Sugerman did had an influence on what we were going to do," Danielson said.
From the start, Providence promised to help, on a case-by-case basis, anyone hurt by attempts to exploit the stolen information. Three days after the lawsuit filing, Providence announced it would provide unspecified credit support for all affected patients and employees. Two weeks later, Providence said it would pay for one year of credit-protection services.
Providence spokesman Gary Walker said that before the lawsuit was filed, the company had signed a draft agreement with Kroll Inc. to provide credit monitoring and restoration services. The company later extended the protection to two years.
Joe Rojas-Burke 503-412-7073, joerojas@news.oregonian.com
Experts and Speakers
Kroll Fraud Solutions employs globally recognized experts with extraordinary knowledge of the many physical, procedural and electronic security gaps through which confidential data is breached, as well as the criminal landscape where stolen identities are bought, sold and used fraudulently.
Your Identity Is Your Business. Protecting It Is Ours .
