December 30

By Kim S. Nash Print this article Print

Providence Health & Services lost information on 365,000 patients—after 10 backup tapes and disks were stolen from the back of an employee's minivan. Now, 12 months and $7 million later, the health-care provider remains mired in the aftermath. Here's

: No Holiday for Data Thieves">

December 30: No Holiday for Data Thieves

Providence is known among health-care providers as a technology leader. Headquartered in Seattle, the company was started by five women in the mid-1800s as a Roman Catholic ministry and charity, and has grown to run hospitals, clinics and elder-care facilities in five states.

In 2004, Providence started using electronic medical records, well ahead of many health-care firms that now struggle with them or are only starting to consider them. Providence's electronic record combines doctor's notes, test results, images and scans of paper documents. The company consistently rates among the top five health-care providers for how efficiently it integrates operations between doctors, hospitals, clinics and all the other facilities involved in treating, and billing, the sick, according to Verispan, a health-care researcher in Yardley, Pa.

The technology O'Brien oversees in the Oregon region, according to the Providence Web site, includes 60 clinical, financial and operations systems, such as Lawson Software human-resources applications, Oracle databases, McKesson health-care patient accounting software and SPSS statistical analysis tools; 6,100 personal computers; and 149 Unix, Linux, Microsoft Windows and other servers.

Providence performs nightly backups of these systems to standard tapes and disks, O'Brien says, and turns them over to records management firm Iron Mountain, which secures them off-site.

But not at Home and Community Services, which, O'Brien discovered, had its own way of protecting data.

On the night of Dec. 30, off work for the holiday, Steve Shields drove to his Milwaukie, Ore., home and parked his Plymouth Voyager in the driveway at the bottom of his yard, according to the sheriff's report. He left his computer bag full of disks and tapes on the floor of the minivan. Sometime after 10 p.m., someone smashed a window and grabbed the bag, he told the Clackamas County Sheriff's Department the next morning.

Several other cars in the same area, a neighborhood of large, comfortable-looking homes among giant pines, were also burglarized that weekend, although the thieves didn't take everything they could lay their hands on. The report notes that some "high-end items"—including a laptop computer in Shields' car and possibly some Christmas presents in his wife's car, which was parked next to his—were left behind.

The stolen disks and tapes contained copies of records on at least 365,000 people living in Oregon and southwest Washington, some going back to 1987. The records were created by various offices of Home and Community Services, which serves patients who are chronically ill, disabled, or so old or injured that they need special care or equipment in their homes.

But some of the patients whose data disappeared are young—children, for example, who went to the hospital to get crutches or some other outpatient care, along with the adults who agreed to pay their bills. Oregon has no law requiring companies to notify customers after their data is compromised, but the state of Washington, where some of the patients live, does. The wife of one of the attorneys representing patients in the case received Providence's notification letter, according to court papers. So did Judge Litzenberger and an unnamed judicial assistant. The judge and her staff are now excluded from profiting from any settlement with Providence.

Nineteen days after the theft, Providence gave police photos of Sony SDX2-50C cassette tapes and Hewlett-Packard rewritable optical disks—media of "the same style"—so investigators would recognize the stolen goods if they turned up.

O'Brien maintains that Home and Community Services' "rogue I.T. department" was the problem. For 10 years, Providence in Oregon has been bringing its hospitals and their information-technology staffs onto centrally managed clinical systems. So far, she says, seven staffs have been consolidated. But Home and Community Services maintained its own computer systems, and although the technology staff "had accepted that they were no longer a mom-and-pop shop" and were going to move their operations into Providence's Oregon regional data center, the switch-over hadn't happened yet. They still managed and backed up eight systems by themselves.

"The practice did not match our policies," she says. "This was the only [department] we had not centralized."

"Obviously," she adds, "the number-one lesson learned is not to have a rogue or a shadow I.T. department out in your business units."

Yet the burglary of Shields' minivan was not the first time Providence had lost data.

Between August 2005 and last December, four computers were stolen from Providence's secured building in Portland, according to Faye Jorgensen, Providence's director of regional security, who was quoted in the sheriff's report. They held Drug Enforcement Administration numbers (which are required by the DEA to prescribe drugs) and other personal information about doctors.

One laptop was stolen in September 2005 that held records on eight hospice patients, and another one in December 2005 that held records on 14 home-care patients in Snohomish County, Wash. Providence didn't announce these thefts until March, when it said in a press release that two more laptops containing information on 122 patients had also been stolen—one from the car of a different Providence employee in Washington.

"The employees involved in the 2006 thefts were not following Providence Health & Services policy, which requires that confidential data be secure at all times," the release said.

The patients who have sued Providence in Oregon, Russell Gibson and William Weiller, claim Providence was "negligent in failing to handle protected health information when it allowed an employee to store [it] in his or her car." Providence's McGrory says the patients have no case and the judge should dismiss it. But the patients want it certified as a class action so all 365,000 of them can collect any damages awarded for inconvenience, impairment of access to credit or emotional distress.

Many patients fear that leaked medical information may somehow hurt them or affect their jobs, adds David Paul, another lawyer on the patients' case against Providence. He says his office has received numerous calls from worried patients. "What if you're on the Oregon police force and taking anti-depressants?" he asks.

Paul says evidence collected in the case reveals "dozens" of times when Providence has lost control of information about patients—a notion that Providence's Walker disputes.

"This was not just one rogue group," Paul maintains. "[They failed] to have their data secure in a number of different components of their operation."

Policies at Providence, revealed as part of the patients' lawsuit against it, say that "electronic records will not be left unattended or unsecured in areas accessible to unauthorized individuals." Another policy states: "All portable computing devices must use encryption. Media removed from [Providence] facilities must be encrypted."

The New Year's theft slapped the company and customers awake to the split between policy and reality.

Next page: Braving the Public

This article was originally published on 2006-12-06
Senior Writer
Kim has covered the business of technology for 14 years, doing investigative work and writing about legal issues in the industry, including Microsoft Corp.'s antitrust trial. She has won numerous awards and has a B.S. degree in journalism from Boston University.
eWeek eWeek

Have the latest technology news and resources emailed to you everyday.