/* Style Definitions */
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-bidi-font-family:”Times New Roman”;
In a long-awaited decision, Paul v. Providence Health System – Oregon (Oct. 6, 2010), the Oregon Court of Appeals ("Court") unanimously affirmed the dismissal of a class action arising out of a third party’s alleged theft of hospital patients’ personal information. The stolen records contained unencrypted personal, medical, and financial information for an estimated 365,000 patients. Patients, whose information had allegedly been stolen from a hospital employee, sued the hospital for negligently failing to safeguard the records and violating Oregon’s Unlawful Trade Practices Act ("UTPA"). The patients, who asked to represent a class of all individuals affected by the alleged theft, sought injunctive relief and damages for emotional distress and for past and future costs of credit-monitoring and other services to protect against identity theft.
Plaintiffs’ negligence claims were based on per se and common law negligence. As to the first negligence claim, the plaintiffs alleged that the hospital failed to comply with federal and Oregon state laws providing for the protection of medical information. With regard to the common law negligence claim, plaintiffs alleged that the defendant was negligent "in failing to safeguard the data, in failing to encrypt it, in allowing its agent or employee to store such data in his or her car, and in failing to put in place policies that would protect such data from theft and disclosure." Further, the plaintiffs claimed that the defendant violated Oregon’s "UTPA" by (1) "representing that all information gathered to sell its services or goods would be safeguarded and kept confidential when it knew that it lacked adequate means to safeguard such information" and (2) "representing that the business of sale of services and goods would include privacy and confidentiality when it knew that the transactions were not confidential due to its inadequate data protection program." Plaintiffs did not allege that they had been victims of fraud or identity theft as a result of the stolen information or that the stolen information had otherwise been compromised.
The trial court dismissed the patients’ claims for failure to state a claim on which relief could be granted, and, under a unique provision of Oregon law, determined that a class action could not be maintained because the hospital had provided a timely and appropriate remedy to patients allegedly affected by the theft. On appeal, the Court agreed that the plaintiffs had not alleged a legal basis for the hospital’s liability, finding that the trial court was correct to dismiss the plaintiffs’ action and the hospital did not owe a special duty to protect patients’ records from theft other than the duty to exercise reasonable care to prevent economic loss or emotional distress to the plaintiffs. Because the Court dismissed the action for failing to state a claim on which relief could be granted, the Court did not reach the question of whether the trial court properly determined that the case could not proceed as a class action. The Oregon Court of Appeals opinion is available here.
Thank you to Douglas Ross of Davis Wright Tremaine LLP and a member of the ABA Privacy and Information Security Committee for helping create this post.