The Oregon Supreme Court last week affirmed the dismissal of a class action lawsuit against Providence Health & Services-Oregon arising out of the theft of patient data on backup media that were stolen from an employee’s car in late 2005.

The case underscores the importance of taking prompt and effective action to protect patients after a data breach. The Supreme Court noted approvingly the substantial—and costly—steps Providence took to protect its patients in the wake of the theft.

Background

The ruling ends a six-year-old legal battle that followed the theft of electronic media containing information on about 365,000 patients of Providence Home Health Services in Oregon. The thief broke into a car of a Providence employee on New Year’s Eve 2005, and stole a laptop bag with computer disks and tapes inside. Information on the stolen media included patients’ names, addresses, some Social Security numbers and, in a very few cases, patient care information. The data were not encrypted, but required special equipment to read.

Providence notified affected patients of the theft and suggested ways to protect against identity theft. Providence also offered to provide patients two years of credit monitoring and restoration services and to pay for any financial loss that might result from later credit or identity theft. Providence established a web site and toll-free call center to answer patients’ questions and to help patients obtain desired services.

Nonetheless, soon after the theft was announced, several individuals filed a class action lawsuit seeking in excess of $73 million. The plaintiffs sought damages for the distress they claimed was suffered when patients learned of the theft. Despite Providence’s prompt actions in providing protection and credit monitoring services, plaintiffs also sought recovery of the cost of credit monitoring services they said had been separately incurred, and for the time and trouble of notifying creditors and government officials.

The Courts Rule for Providence

In a unanimous opinion released on Feb. 24, 2012, the Supreme Court upheld lower court rulings that the plaintiffs had failed to state claims on which they could recover damages either for negligence or for violation of Oregon’s Unfair Trade Practices Act. The Supreme Court based its decision in large measure on absence of any claim that the information stolen was viewed by the thief or other third parties, let alone misused to cause damage to credit or identity theft.

As noted above, the Court took note as well of Providence’s prompt and substantial efforts to reduce the risk of misuse of the stolen data by providing comprehensive protection against the risk the stolen information might be misused. The Court observed the state’s attorney general, who has authority to enforce the Unfair Trade Practices Act, had commented that Providence’s response was “appropriate for patients affected by the theft.”

Providence had moved to dismiss the case soon after it was filed for failure to state facts on which a claim could be based. The trial court granted the motion, relying on an earlier case in which the Oregon Supreme Court held a smoker did not state a claim for negligence when her only claim for damages was the cost of monitoring for possible future health problems.

The Court of Appeals affirmed the trial court’s ruling in favor of Providence. In their appeal, plaintiffs argued they did not need to show misuse of their information. They claimed the mere fact of the theft itself caused them injury. Plaintiffs argued as well that Providence had a special relationship to plaintiffs that imposed on it an obligation to protect them from negligently caused economic or emotional injuries.

When the case got to the Supreme Court that court assumed, for the sake of argument, that the plaintiffs and Providence had been in a relationship that imposed an obligation on Providence to protect the plaintiffs from negligently caused economic and emotional distress. But both kinds of damages plaintiffs claimed arose only from a possible future injury. The “risk” of identity theft, wrote the Court, was an insufficient basis on which to impose liability in the absence of “any actual identity theft or present financial harm.”

Takeaway Lesson

Although the Oregon courts decided the case on questions of law, Providence’s prompt and substantial response to the theft played a vital role in the successful result at each level. When the theft occurred, Oregon had no law governing how a custodian of records should respond to a theft of information. Providence nonetheless responded quickly to contact its patients and arrange for credit protection. In hindsight, Providence was well served by its quick response.