Suit: Employee Fired for Reporting Breach
For one of the biggest healthcare data breaches in history, the lawsuits havent stopped yet.
In December 2005, thieves broke into the parked van of an IT systems analyst for Providence Home Services, a Washington state health care company, stealing a computer bag with ten unencrypted tapes and disks holding information on what would turn out to be more than 365,000 hospice and home health care patientseverything from Social Security numbers and birth and death dates to diagnoses, prescriptions and insurance numbers. Data on doctors, including their Medicare and Medicaid and state license numbers, names, addresses and phone numbers were also missing.
Executives waited three weeks before informing patients about the stolen data, in what turned out to be the biggest data breach ever reported in Oregon. The state investigation and class-action lawsuit that followed ended in a $95,000 settlement payment by the healthcare provider to the state of Oregon to cover the cost of the investigation.
To view an eWEEK slideshow about the worst security breaches ever, click here.
Now, in a lawsuit filed Aug. 28 in Multnomah County Circuit Court, near Portland, former Providence Home Services IT systems analyst Steven Shields is seeking $1 million in damages from his former employer for allegedly violating Oregons whistleblower law.
Steven Shields, the employee who left the records inside the van, alleges in the lawsuit that he was fired for reporting the December 2005 incident to police. Whistleblower laws prevent companies from firing employees who make a good-faith report of wrongdoing. If employees are worried about losing their jobs, the law reasons, they may not do the right thing when a dangerous situation occurs.
In the court papers, Shields lawyer Kevin Kearney claims that the IT analyst has suffered from depression, anxiety, humiliation and lost sleep since the incident. Shields had worked for the company for almost ten years before being fired.
Providence Home Services declined to comment.
Meanwhile, responders to news of Shields lawsuit havent exactly cast the IT worker a sympathetic glance.
Read here about how the cost of breaches is rising sharply.
"This O poor me needs to be very thankful that he isnt being sued by each and every person whose records were stolen," wrote a commenter on Oregonlive.com.
"Where in his directive to Take the records home [does it] say leave them in your car?" the commenter railed.
At issue in the lawsuit, however, is not whether Shields handled sensitive data incorrectly, but whether the company fired him for reporting the security breach.
While there have been no reported incidents of fraud in connection with the data breach since it was reported, the company has agreed to provide at least on year of free credit-monitoring and credit restoration services to victims, and has also beefed up security by creating an information awareness program for employees. A contractor has since been hired to transport and store all sensitive data, instead of allowing employees to take it home.