In December 2005, a thief broke into Steven Shields' car at his Oregon home and walked off with computer disks and tapes containing unencrypted personal information on 365,000 patients at Portland's Providence Health Systems.
The breach was the largest of its kind in Oregon history and resulted in a class-action lawsuit against the health care provider and a nine-month-long investigation by the state attorney general. That probe ended with a US$95,000 settlement paid out by Providence Health.
Now, in a new twist in the case, Shields -- a former IT worker for the health care agency -- has filed a wrongful termination lawsuit against Providence Health, claiming he was fired in February 2006 simply because he reported the theft to local law enforcement officials.
The lawsuit, filed at the Multnomah County Circuit Court on Aug. 28, seeks US$1 million in damages for lost wages and what Shields' attorney said was the emotional distress caused by the firing. In addition to anxiety, depression and humiliation, the firing also caused anger, lost sleep and skin disorders, the lawsuit said.
"Steve was a 10-year employee with a good record," said Kevin Keaney, the attorney representing Shields in the suit. "Steve was fired because he made a report on the stolen media to the sheriff," Keaney said. According to Keaney, prior to Shields' reporting the data theft to law enforcement, there was nothing in his employment history at Providence to suggest he would be fired.
The theft occurred on Dec. 30 or 31, 2005. Providence Health did not start notifying affected individuals until the end of January in 2006. Shields was fired the next month.
Keaney noted that the lawsuit is being filed under Oregon's whistle-blower law, which makes it illegal for a company to fire an individual for making a report to law enforcement authorities. According to Keaney, Shields was just doing the job he was asked to do when he transported the Providence patient data tapes to his home as part of the organization's backup protocol.
A spokesman from Providence Health confirmed the legal dispute but said it is against company policy to comment on pending lawsuits.
Shields was one of four Providence Health IT employees to lose their jobs following the incident, although he was the only one to be fired. Three others resigned following an internal review of Providence Health's data storage procedures. All four had jobs related to the data that disappeared when the disks and tapes were stolen.
The recent lawsuit is only the latest fallout from the breach, which has already cost the health care agency millions of dollars in notification and credit monitoring costs and prompted the state attorney general to probe the apparent delay in notifying affected individuals of the breach. That investigation ended a year ago with a settlement under which Providence Health admitted no violation of law but agreed to pay patient claims for direct financial losses stemming from the theft. Providence Health also agreed to offer free credit monitoring services for a year to affected individuals and agreed to extend it for individuals on an as-needed basis.
The company also ended the practice of allowing employees to take patient data home and has instead hired an outside company to take the backup data to a secure site. And it agreed to designate an employee to build an information security program that would include employee training and regular testing of the program's effectiveness.
Providence Health has until late this month to formally respond to Shields' suit.