The Oregon Supreme Court last week affirmed the dismissal of a class action lawsuit against Providence Health & Services-Oregon arising out of the theft of patient data on backup media that were stolen from an employee’s car in late 2005.

The case underscores the importance of taking prompt and effective action to protect patients after a data breach. The Supreme Court noted approvingly the substantial—and costly—steps Providence took to protect its patients in the wake of the theft.

Background

The ruling ends a six-year-old legal battle that followed the theft of electronic media containing information on about 365,000 patients of Providence Home Health Services in Oregon. The thief broke into a car of a Providence employee on New Year’s Eve 2005, and stole a laptop bag with computer disks and tapes inside. Information on the stolen media included patients’ names, addresses, some Social Security numbers and, in a very few cases, patient care information. The data were not encrypted, but required special equipment to read.

Providence notified affected patients of the theft and suggested ways to protect against identity theft. Providence also offered to provide patients two years of credit monitoring and restoration services and to pay for any financial loss that might result from later credit or identity theft. Providence established a web site and toll-free call center to answer patients’ questions and to help patients obtain desired services.

Please see full article below for more information.