The Oregon Supreme Court on Friday, February 24, 2012 decided that Providence Health System-Oregon ("Providence") could not be held liable to patients for negligence or violation of the Unlawful Trade Practices Act ("UTPA") after computer disks and tapes containing personal information from an estimated 365,000 patients were stolen from a Providence employee's car. The plaintiffs—patients whose personal information had been stolen—had accused the health care provider of failing to take adequate measures to keep the data safe. The Court's ruling in Paul v. Providence Health System was a victory for the health care provider and for the business organizations that had submitted amicus briefs in the case, although some questions remain unresolved.
The Court based its decision on a narrow, fact-specific point: The plaintiffs had not alleged that the stolen information was used or even viewed by the thief or any third person. In the absence of any misuse of the data, the Court held that patients whose personal information had been stolen had not suffered the type of injury that would support a negligence or UTPA claim. In other words, the expense of credit monitoring services and the plaintiffs' worry about future identity theft are not harms that will sustain a claim for damages in and of themselves under Oregon law. However, the Court clearly signaled that, if the patients had alleged actual identity theft or other misuse of the data, the outcome of the case might have been different.
In its opinion, the Court left unresolved several important questions regarding the duty of health care providers to safeguard patient information. In Oregon, a party cannot be liable for pure economic loss for negligence unless it has a heightened duty of care. In this case, plaintiffs alleged Providence had a heightened duty to protect patients from economic loss because of the relationship between a health care provider and a patient. However, the Court did not resolve this question because it decided to dismiss plaintiffs' claims for the reasons stated above. Similarly, under Oregon law, a defendant's invasion of a "legally protected interest" is one of the few grounds for holding a defendant liable in negligence for inflicting emotional distress without an associated physical injury. The plaintiffs argued that just such a legally protected interest was created both by the doctor-patient relationship and by statutes requiring health care providers to maintain the confidentiality of medical information. Again, the Court reached no conclusion about whether plaintiffs could recover emotional distress damages from a health care provider on this theory.
Thus, it remains uncertain whether Oregon law imposes a duty on health care providers to protect patients from economic loss or emotional distress resulting from the theft of personal information. Additionally, the Court did not give any hint as to whether a heightened level of care might be required by different types of businesses in other contexts. It also remains unclear, for purposes of the UTPA, whether the act of offering health care services constitutes a representation by the health care provider that patient information will be kept confidential.
Providence's victory in this case should not be taken as permission for health care providers to relax their vigilance. While providers may be safe from class action liability where there is no harm, data breaches involving patients' health information can still trigger penalties and notification obligations under both state and federal laws. Indeed, the Oregon Supreme Court noted in its opinion that Providence entered into an agreement with the Oregon Attorney General pursuant to the UTPA to provide credit monitoring and other services to any patient who requested it and to pay more than $95,000 to the State. Providence estimated that the cost of the credit monitoring and other services was approximately $7 million.
On the federal side, penalties under HIPAA recently have been increased to up to $1.5 million for each type of violation, and nondiscretionary penalties of $1,000 per record can apply even when the provider has a reasonable excuse for the violation. The federal enforcement agency is about to launch a series of audits that will focus on providers and others who have reported breaches, and it has deputized state attorneys general to pursue penalties in some cases for a share of the reward. Additionally, the failure to protect patient information from theft might well lead to an award of damages in a future case involving different facts than this one. Rather than rely on the next thief to similarly ignore the information he or she has obtained, health care providers would be well-advised to update their risk assessments and identify and mitigate any identified threats and vulnerabilities to the patient information they have in their hands.
Please contact a key contributor if you have questions regarding this issue.