PORTLAND, Ore. – The theft of 365,000 medical files of Oregon and Washington patients has brought calls for tighter controls on businesses that handle personal data and for penalties on those that fail to safeguard privacy.
Providence Health System waited until Wednesday to notify the patients whose medical records had been stolen from an employee’s car in Milwaukie, Ore., Dec. 31. Certain home services employees routinely took home digital files containing copies of patients’ records for emergency backup.
Because some affected patients live in Washington, Providence officials were obligated under a Washington law to inform patients of the theft “in the most expedient time possible and without unreasonable delay.”
Security advocates and legal authorities questioned the at-home storage practice, the lack of computer encryption on the files and the time it took Providence to report the breach.
“There are some serious questions here,” said Jan Margosian, a spokeswoman for Oregon Attorney General Hardy Myers. “It is very reasonable for you to expect that your medical records will be kept safe and secure. That doesn’t appear to be what happened.”
Providence’s hotline dedicated to the privacy lapse received more than 1,000 calls on Thursday, and patients with complaints kept phones ringing all day at the attorney general’s office.
Rick Cagen, regional chief executive for Providence Health System, said the company delayed alerting people to the theft to identify each of the patients whose records had been stolen and to prepare to help them.
“We wanted to do it right,” Cagen said.
Unlike California, Washington and at least 21 other states, Oregon has no law requiring companies to report privacy lapses. Last year, a security-breach bill in the Legislature failed to overcome resistance from industry groups.
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.