Last December, Providence Health announced that an employee laptop containing unencrypted identity-related information on over 350,000 members was stolen. The theft put those members at risk for identity theft.

Providence has now reached a settlement with the State Attorney General’s office, the terms of which include Providence paying for credit monitoring for affected individuals, as well as for credit restoration services for those folks who become victims of identity theft.

While victims of identity theft will surely go through hours, days, or even years of anguish and hassle, I wonder about the terms of the settlement. Is it fair? Should the company have faced a huge fine, which would likely be passed along to the (innoncent) members? Is there a better way to send a clear message that Providence screwed up in a very big way?

Does this situation really impact Providence at all? Most folks have anywhere from one to three medical plan options with an employer… is the risk of sloppy identity management enough to cause someone to enroll in a non-Providence plan, or is this a case where a large company has again screwed the little guy, with no real punishment?