An Oregon state agency faces a class-action lawsuit stemming from its inadvertent release of COVID-19 vaccination data of more than 40,000 state employees.
Elena M. Martinez, an Oregon Department of Corrections worker, sued the Oregon Department of Administrative Services over the data release in Marion County Circuit Court last week. The class-action lawsuit alleges that state employees faced harassment and intimidation after the state inadvertently released the data.
The state has not yet filed a response in court. A spokesperson for DAS declined to comment on the lawsuit and a related labor complaint about the release.
Last year, the department publicly acknowledged it inadvertently released vaccination status of state employees to The Oregonian/Oregonlive.com and the Statesman Journal in Salem. By law, that information is supposed to be confidential. Those media outlets never published the vaccination status of individual employees.
But the lawsuit alleges that the agency did not do enough to protect the privacy of state employees. DAS shepherded the process by which all executive branch state employees uploaded their vaccination status, including the type of doses received, into Workday, the state’s online portal for workers.
Gov. Kate Brown’s order set that process in motion. In August 2021, Brown ordered all state employees to be fully vaccinated by Oct. 18, 2021, or have an exemption. Consequences for failure to comply included termination.
The Department of Administrative Services promised that “[v]accine documents are only visible to HR Executives, HR Partners, ADA Coordinators and COVID Vaccine Coordinators,” the lawsuit says.
Even so, concerns persisted about the security of the Workday program, the lawsuit says. On Sept. 27, 2021, Nettie Pye, Oregon’s labor relations manager at DAS, sent an email that said: “[v]accination documentation is kept in the confidential (Level 3 – Restricted) COVID-19 Vaccination Documentation file in Workday.” The email told employees that it is “separate and highly secured, only viewable by you and the roles responsible for managing the vaccine mandate requirements.”
On Oct. 18, Adam Crawford, the external relations manager for DAS, sent out the spreadsheet with the confidential vaccine data to media outlets. It included whether employees were vaccinated, had an exemption, or if human resources was reviewing their documents.
Later that same day, The Oregonian published an article about the data release. Two hours after the story published, DAS sent out a statewide announcement about the release to employees.
The next day, several unauthorized people gained access to the data and used it to “intimidate, threaten, harass, and embarrass unvaccinated state employees,” the lawsuit says. In one instance that it cites, a Department of Corrections captain highlighted the names of unvaccinated corrections employees stationed at Oregon State Penitentiary on a public shift-scheduling board.
The lawsuit doesn’t detail how the unauthorized people accessed the data, which wasn’t published. But the lawsuit alleges that the disclosure violated state law.
The state failed to notify employees promptly and violated state law by failing to notify law enforcement or provide contact information for national consumer credit reporting agencies, the lawsuit alleges. The lawsuit seeks relief that includes improvements to data-breach notification procedures and a change that allows workers to decline to upload private identifiable and confidential medical information to Workday.
The lawsuit alleges that DAS was negligent by allowing unrestricted access to employee data in an insecure way. The lawsuit also alleges the agency committed fraud when it told employees that the information would be secure.
“DAS knew, or should have known, that those representations were false,” the lawsuit says.
The lawsuit was filed by attorneys Amanda Reilly and Kevin Lafky of the Salem firm, Lafky & Lafky. It seeks unspecified monetary damages and an order that gives state employees the freedom to not register their COVID-19 vaccination status on Workday.
Labor Complaint Filed
Separately, the American Federation of State, County and Municipal Employees filed a labor complaint with the Oregon Employment Relations Board. AFSCME represents about 1,900 state corrections employees.
In its Oct. 27 complaint, the union said it sought and received assurances from the state that employee vaccination information would be kept separate from the rest of an employee’s personnel file.
Those assurances were laid out in a letter of agreement on Oct. 15 – three days before the inadvertent data release.
“After the article was published, DAS distributed an email admitting to the breach and giving a half-hearted apology and unsatisfactory explanation about how the breach occurred,” the complaint says.
DAS declined to comment on the labor complaint.
The complaint said union leadership was “shocked and deeply angered by the state’s careless, improper, and unlawful breach of its members’ privacy and confidentiality rights under the law and the LOA.”
“Within minutes after the article was published, the union began receiving emails, phone calls, and other messages from employees who were angry and frightened by this egregious data breach,” the complaint said.
The complaint asks for an order that prevents the state from repeating that action and requires the state to financially assist any employees who suffered from the breach. The union also wants the order to require the state to conduct an investigation into the breach and improve its system to ensure that it doesn’t happen.
The union wants the state to “issue a full and true apology for its broken promises,” and to reverse any adverse employment actions taken against employees who did not trust the state with their confidential information after the breach.
The complaint also seeks a $1,000 civil penalty.
You can reach Ben Botkin at [email protected] or via Twitter @BenBotkin1.