AG Files Data Breach Settlement With Providence Health System-Oregon
Attorney General Hardy Myers today filed a settlement agreement with Providence Health System-Oregon ending a nine-month investigation into the largest data breach ever reported in Oregon. The Assurance of Voluntary Compliance (AVC) filed in Multnomah County Circuit Court admits no violation of law.
The Providence data breach occurred December 30 or 31, 2005 when backup tapes and discs containing personal information on 365,000 patients, mostly Oregonians, were stolen from a Providence employee's car parked at home in the Portland area. The data was not encrypted. Providence reported the breach at the end of January 2006.
"Providence waited over three weeks before informing the Oregon Department of Justice and 365,000 home services patients of a data breach concerning personal medical and financial information, " Myers explained. "Although Oregon does not have a data breach notification law, Providence knew that timely reporting was extremely important when dealing with possible identity theft."
"To their credit, Providence officials not only cooperated fully with the Department of Justice investigation but will spend millions of dollars in corrective action to relieve any harm to affected consumers," Myers added.
Under the settlement agreement, Providence will continue to provide at least 12 months of free credit monitoring services if requested by affected home services patients. This includes a possible extension of the credit monitoring services for an additional year if deemed appropriate. Providence also will continue to provide credit restoration services through at least December 2007 should any affected patient become a victim of Identity Theft. To date, the Department of Justice has no confirmed reports of ID theft linked to this case.
Providence also will designate an employee to coordinate an information security program that includes employee training on data security and regular testing of the security programs effectiveness. The company has hired a private security company to transport its data to a secured site and Providence employees no longer take the patient data home.
The agreement also requires Providence to pay patient claims for direct financial losses that are established as resulting from the theft of the data. The company paid approximately $95,000 to the Consumer Protection and Education Fund.
Although the Department of Justice used the far-reaching Unlawful Trade Practices Act to cover the data breach activity, Myers believes a specific data breach law is needed. "Currently, the Department of Justice is participating in a working group, whose goal is to draft legislation that is supported by both industry and government but that, most importantly, insures that adequate protections are in place if a consumer's information is breached," Myers explained.
Consumers wanting more information about the Providence AVC and consumer protection in Oregon may call the Attorney General's consumer hotline at (503) 378-4320 (Salem area only), (503) 229-5576 (Portland area only) or toll-free at 1-877-877-9392. Justice is online at www.doj.state.or.us.
Stephanie Soden, (503) 378-6002
Jan Margosian, (503) 947-4333 (media line only) firstname.lastname@example.org