Back in late 2005, a car prowler stole unencrypted computerized medical records of 365,000 Providence Health System patients from an employee’s car. We filed a case here in Portland on behalf of the 365,000 patients, and the trial judge granted Providence’s motion to dismiss the claim. We appealed and recently filed our opening brief with the Oregon Court of Appeals.

I co-authored the brief with my friend and colleague, Brian Campf. Here is a pdf version:

Providence Class Action: Patients’ Opening Brief Oregon Court of Appeals

Appeals move at their own pace. I don’t expect a decision from the Court of Appeals until 2009.

David Sugerman

This sounds familiar. In today’s news, a laptop stolen from the National Institute of Health contained unencrypted medical records on 2,500 patients. By way of full disclosure, I represent Portland-area patients in a case against the Providence medical system for a similar data loss.

I can’t help but be amazed that any medical information is stored without encryption. How can that not be the standard of care?

Adding insult to injury, the institution delayed reporting to patients, giving two very different reasons for the delay. First, the NIH spokesman explained that they didn’t want to cause undue patient alarm. And second, the agency concluded patients weren’t “at immediate risk.”

Okay, I’m totally jaundiced here. But doesn’t that statement–the lack of “immediate risk”–really mean, “They weren’t my medical records.”

After the Providence case, it should really be this simple: encrypt the records.

David Sugerman