The Oregon Court of Appeals handed down a decision Wednesday ruling against the plaintiffs of a class-action lawsuit, who had claimed that Providence Health-Oregon of Portland, Ore. had negligently failed to safeguard unencrypted records with private patient information that was stolen from a Providence employee's car.

The facts alleged in the case are that a Providence employee medical care provider had taken home some computer disks and tapes, leaving the items in his car, from where the theft occurred. The items contained unencrypted patient records for around 365,000 individuals, including names, addresses, phone numbers, social security numbers and patient care information. A little over three weeks after the theft, Providence alerted each patient as to the loss of data and advised them to take precautions.

The plaintiff patients then filed suit against Providence, accusing it of negligence and of violating the Unlawful Trade Practices Act (UTPA) by a representation to keep patient information confidentiality, when it had not sufficiently ensured such confidentiality. The plaintiffs had argued they suffered exposure to loss of privacy and costs for monitoring credit reports and fraud alerts. A trial court had granted Providence's motion to dismiss the case.

In the Court of Appeals opinion, the court said that the negligence claims failed because the plaintiffs were not able to prove the primary element of a negligence tort: duty. In this case, a duty to guard against the specific harm alleged -- trauma associated with the loss of personal medical information as a result of theft.

As to the UTPA claim, the court explained that the UTPA protects against false representations of goods or services that have benefits, standards or qualities that in fact are not present. The plaintiffs' theory of UTPA violation appeared to be that a. Providence's role as provider of medical services was subject to state and federal confidentiality laws; b. Providence allegedly represented, in offering its services and products, to keep patients' private information confidential; and c. the company did not have procedures and practices in place to protect the information against a loss by theft and therefore, the services were not of the standard or quality represented. The plaintiffs then claimed that due to the alleged violation of the UTPA, they faced a threat of monetary or property loss due to the theft, and claimed damages for costs to forestall the threatened losses.

The court rejected that argument, saying that the plaintiffs had not alleged a loss of money or property as a result of any misrepresentations, but rather for alleged out-of-pocket expenses to prevent a potential loss of money or property through identity theft that might result from the misrepresentations. The court said that there is no authority for covering a "once removed" covered entity under the UTPA.

More Industry Headlines