Providence Breach Case DismissedWhat Were the Key Factors in the Case?
The Oregon Supreme Court last week dismissed a breach-related class action lawsuit against Providence Health & Services-Oregon. The law firm representing Providence believes a key factor in the dismissal was the healthcare provider's prompt action to protect patient information.
See Also: The Global State of Online Digital Trust
The law firm, Davis Wright Tremaine, posted an online report on the case, Paul v. Providence Health System-Oregon, this week. The authors, two attorneys involved in the case, contend that the court took note of Providence's prompt efforts to reduce the risk of misuse of the stolen data after the breach.
The Feb. 24 state supreme court ruling dismissed a class action lawsuit filed on behalf of the 365,000 individuals affected by the breach that sought $73 million for certain costs as well as distress suffered when the patients learned of the theft. In a unanimous opinion, the supreme court ruled that the plaintiffs "failed to state claims on which they could recover damages either for negligence or for violation of Oregon's Unfair Trade Practices Act," the law firm's report states. The court based its decision on the absence of any claim that the information stolen "was viewed by the thief or other third parties, let alone misused to cause damage to credit or identity theft."
A trial court dismissed the original case, and that decision was affirmed by an appellate court. The state supreme court determined that the risk of identity theft was "an insufficient basis on which to impose liability in the absence of any actual identity theft or present financial harm," according to the law firm's report.
The breach incident dates back to New Year's Eve 2005, when a thief broke into the car of a Providence employee and stole a laptop bag containing unencrypted computer disks and tapes. Information about 365,000 patients was stored on the stolen media. That included names, addresses, some Social Security numbers and clinical information.
Upon learning of the breach, the law firm reports, Providence:
- Notified affected patients of the theft, suggesting ways to protect against identity theft;
- Offered patients two years of free credit monitoring and restoration services and reimbursement for any financial loss that might result from later credit or identity theft; and
- Established a website and toll-free call center to answer patients' questions and to help patients obtain desired services.
"Although the Oregon courts decided the case on questions of law, Providence's prompt and substantial response to the theft played a vital role in the successful result at each level," the law firm contends. "When the theft occurred, Oregon had no law governing how a custodian of records should respond to a theft of information. Providence nonetheless responded quickly to contact its patients and arrange for credit protection."
The breach took place before the HIPAA breach notification rule was in effect.