The former IT systems analyst who was in possession of backup tapes and disks before they were stolen out of his parked van has sued the Providence Health System over his firing.
Steven Shields alleges in the lawsuit that he was fired for reporting to police the December 2005 incident, in which thieves stole about 10 unencrypted tapes and disks that contained the personal information of some 365,000 patients of Providence Home Services, a division of the health system.
Shields is protected under Oregon's whistle-blower law, which prevents companies from taking a job action employees who "make a good-faith report of wrongdoing," Shields' Portland, Ore. attorney, Kevin Keaney, told SCMagazineUS.com today.
When asked whether Shields may have been fired for violating company policy, not for reporting the incident to police, Keaney said, "[Companies] always come up with what they call a legitimate business reason [for the firing]...Then it becomes a question of, 'Well, what is it?' The jury has to find out."
Three employees resigned and one was fired following an internal review of the breach, Providence said in a February 2006 statement. The company did not name the employees or detail what its investigation turned up.
Thomas Johnson, a Providence spokesman, told SCMagazineUS.com today that policy is to not comment on pending litigation. He also declined to comment about the internal review, which apparently resulted in Shields' firing, or anything related to the breach.
In the lawsuit, Shields is seeking $1 million in compensation for lost wages and damages caused by “pain, suffering, humiliation, anger, lost sleep, lost enjoyment in life, anxiety, depression and skin disorders,” according to a Wednesday report in The Oregonian.
"The guy was devastated by it," said Keaney, who filed the lawsuit in state court in Multnomah County, Ore. "The guy was emotionally distraught over the whole thing."
Alan Charles Raul, a Washington, D.C. attorney specializing in information law and privacy, told SCMagazineUS.com today that he does not know specifics about this case but said all organizations should encourage employees to report data-loss incidents without fear of reprisal.
“Companies need to set up structures and systems that encourage employees to report thefts, losses and other compromises of information - information of any kind that is important to the company,” he said. “Companies that set up disincentives to timely, candid reporting are really shooting themselves in the foot because really these breaches and other information mishaps can happen to any company, even if they have good systems in place to prevent them.”
Shields worked for Providence for about a decade and is currently employed in a similar line of work, his attorney said.
Roughly nine months after the theft, the Oregon Attorney General's Office and Providence settled over the lost tapes and disks, which contained Social Security numbers, clinical and demographic information and, in a limited number of cases, financial records. There have been no reported incidents of fraud in connection with the breach.
Under the agreement, Providence will provide at least one year of free credit-monitoring services for victims and offer credit restoration services through the end of this year. The health system also paid $95,000 to the state's Consumer Protection and Education Fund.
Providence also agreed to beef up its security by creating an information awareness program for employees and hiring a contractor to transport and store sensitive data, instead of allowing employees to take it home. The hospital system never admitted any wrongdoing.