Oregon Fines a Medical Clinic for Violating the State's ID Theft Law - The Oregon Department of Consumer and Business Services announced on November 1, 2013 that it fined Samaritan Health Services, Inc., a regional health system, $5,000 (reduced to $1,000) for violating Oregon's identity theft law by improperly discarding business records and patient files with patient names and social security numbers. A patient discovered approximately 1,222 patient files in an unlocked recycling container outside of Samaritan's Family Medicine Clinic in Corvallis, Oregon in July 2013. Of the 1,222 about 20 files included patient names and unredacted social security numbers. [1] The Oregon Department learned of the incident from the press. [2]

[Jump to Take-a-Ways]

Samaritan "operates a non-profit network of hospitals, physician clinics, health plans, and senior care facilities in Albany, Corvallis, Lebanon, Lincoln City, Newport, and Sweet Home, Oregon." [3]

The action was based on the Oregon Consumer Identity Theft Protection Act (ORS 646A.600) ("ID Theft Law"), which, among other things, requires companies to notify consumers in the event of a data breach,  permits impacted consumers to put a security freeze on their credit report, prohibits companies from printing and otherwise displaying social security numbers, and requires companies to develop, implement and maintain reasonable safeguards to protect personally identifiable information. The Act also provides that violators may be subject to a civil penalty of not more than $1,000 for every violation.

Samaritan was charged with violating several sections of the ID Theft Law for improper disposal of the records and ordered to pay a civil penalty of $5,000 "for publicly posting, displaying or otherwise making available to the public, files bearing consumer names and unredacted Social Security numbers in violation of ORS 646A.620 (1)(c)." [4]

But, Patrick M. Allen, Director of the Department, agreed to suspend $4,000 of the $5,000 penalty provided that Samaritan "complies with all terms and conditions set out in this Consent Order and commits no new violations of the Identity Theft law, ORS chapter 646A, or Oregon Administrative Rules chapter 441, division 646" for five years.


  • The Oregon action serves to remind healthcare providers and those that manage protected health information (PHI) that, when disposing of records containing patient data, they must comply with both HIPAA and state data disposal laws. As of December 2013, at least 30 states have enacted laws setting forth disposal requirements for business records that contain personally identifying information. [5]
  • The Oregon Consumer Identity Theft Protection Act may be changing. Oregon House Bill 3411 proposed changes to a number of the sections including section 646A.622, which addresses the requirement to develop safeguards for personal information. But, entities subject to HIPAA and the Gramm-Leach-Bliley Act are deemed to comply with section 646A.622 of the Oregon Act if they comply with the respective federal regulations. [6]
  • Identity theft continues to be of great concern to both state and federal regulators and this concern tends to drive enforcement activity. Healthcare providers and group practices are particularly attractive targets to thieves and fraudsters because these companies have access to a lot of personally identifying information (e.g., names, phone numbers, social security numbers, credit card numbers, etc.) and may not have the proper security measures in place. Providers should be particularly cognizant of these concerns and take appropriate steps to minimize risks to their patients. Proof of identity theft often fulfills the damages requirement in a data breach class action.
  • Training workforce members on the proper handling and disposal of patient records must be an ongoing effort. As of December 31, 2013, two of the top complaints received by the Office of Civil Rights, the federal enforcer of HIPAA, is impermissible uses and disclosures of PHI and lack of PHI safeguards. [7]
  • For many people, a report to the press is the first stop. Negative publicity can cause great damage the goodwill and the bottom line of an organization. Moreover, as clear from this incident, state regulators are paying attention to press reports. The Office of Civil Rights pays attention as well. For example, OCR entered into a settlement agreement with Shasta Regional Medical Center for $275,000 after OCR learned from media reports that senior leaders at the company met with members of the press to discuss medical services provided to a patient. "When senior level executives intentionally and repeatedly violate HIPAA by disclosing identifiable patient information, OCR will respond quickly and decisively to stop such behavior," said OCR Director Leon Rodriguez. [8]

------------------
[1] In re Samaritan Health Services, Oregon Department of Consumer and Business, Division of Finance and Corporate Securities, Consent Order No. 13-0570 (11/1/13) [hereinafter Consent Order].

[2] Bloomberg BNA Health Law Resource Center, Oregon Regulator Fines Health System
After Records Discovered in Recycling Bin, 22 HLR 1674 (Nov. 5, 2013) ("Diane Childs, a spokeswoman for the Division of Finance and Corporate Securities, told Bloomberg BNA Nov. 5 that the agency found out about the breach through an article in a local newspaper.")

[3] Consent Order at para. 1.

[4] Id. at para. 10.

[5] A list may be obtained from the National Conference of State Legislatures, https://www.ncsl.org/research/telecommunications-and-information-technology/data-disposal-laws.aspx (last visited Jan. 14, 2014).

[6] 77th Oregon Legislative Assembly, 2013 Regular Session, House Bill 3411 (Sponsored by Representative Gomberg, Representatives Boone, Gallegos, Lovely, and Senator Roblan.

[7] Office of Civil Rights, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/highlights/ (last visited Jan. 14, 2014).

[8] Press Release, Office of Civil Rights, HHS Requires California Medical Center to Protect Patientsí Right to Privacy, June 13, 2013, https://www.hhs.gov/ocr/privacy/hipaa/enforcement/examples/shasta-agreement-press-release.html.