• A
  • |
  • A
  • Text size

Electronic Medical Records

Paul v. Providence Health System-Oregon, 273 P.3d 106 (Or. 2012)

Also under Patient Privacy

Outcome:   Very favorable


The issue in this case is whether, under Oregon law, a hospital could be liable for damages for the loss of unencrypted patient records if the patients whose records were lost had not suffered tangible economic harm.

AMA interest

The AMA advocates for and supports initiatives to minimize the financial burden of adopting electronic medical records.

Case summary

A hospital employee took home and then had stolen computer disks and tapes which contained unencrypted records.  These included names, addresses, telephone numbers, Social Security numbers, and health care information.  A few weeks after the theft, the hospital sent letters to each of the affected patients alerting them to the loss of data and advising them to take precautions to protect themselves.

A class action was filed on behalf of the patients affected by the theft.  The plaintiffs claimed they suffered loss of privacy, expenses associated with monitoring of credit reports, placing and maintaining fraud alerts, and general “costs of credit damage.”  They sought relief based on common law negligence and the Oregon Unlawful Trade Practices Act.

The hospital moved to dismiss the suit for failure to state a cause of action, and the trial court granted that motion .  The plaintiffs then appealed to the Oregon Court of Appeals.  The Court of Appeals affirmed, holding that under Oregon law neither a risk of future injury, not yet realized, nor the expense of monitoring for a possible injury is a compensable damage.

The plaintiffs then appealed to the Oregon Supreme Court, which affirmed.

Litigation Center involvement

The Litigation Center, along with the Oregon Medical Association, filed an amicus brief in the Oregon Supreme Court, supporting the hospital.

Oregon Supreme Court brief