Oregon computer theft spurs patient privacy lawsuit

The case poses questions about a common practice of transporting medical information.

By Amy Lynn Sorrel, AMNews staff. March 6, 2006.

When a thief broke into a Providence Health System employee's car and stole a bag containing a laptop on Dec. 31, 2005, along with the computer disappeared tapes and disks containing the Social Security numbers and protected health information of 365,000 patients in Oregon and Washington.

In January patients filed a state class-action lawsuit against Providence alleging that the health system had failed to safeguard the data as required by HIPAA and thus violated Oregon's Unfair Trade Practices Act. Oregon Attorney General Hardy Myers is also investigating whether Providence violated the act.

Although the employee involved was not a doctor, the medical community says the case raises a red flag about the practices that hospitals and even physicians have in place that might put them at risk for running afoul of patient confidentiality laws.

"The good news is that lessons will be learned, and this [incident] shows the need for more stringent policies with regard to records handling," said Jennifer Hanscom, spokeswoman for the Washington State Medical Assn.

HIPAA security and information technology experts advise doctors to take appropriate safeguards.

Rosemarie Nelson, a principal consultant for the Medical Group Management Assn., said she had observed a lot of "HIPAA paranoia" about incidental activities, such as walking down the hall with a patient chart, that aren't cause for worry, when doctors should be concerned about more risky practices such as backing up information over the Internet, outsourcing transcription or taking information home.