The tapes and disks contained personal information and medical records on about 365,000 hospice and home health care patients of the division of Seattle-based Providence Health System .
In a statement, the parent firm said the four workers left the company after "a confidential and thorough internal review process of the data storage procedures that led to the theft."
A Providence Health System spokesman said he couldn't confirm the titles of the workers, but he did note that all four had jobs related to the data-theft incident.
Meanwhile, the health care organization said it has signed an agreement with security vendor Kroll Inc. in New York to provide its ID TheftSmart credit monitoring and restoration services for free to those affected by the theft.
Providence said it will notify affected patients by mail this week about the deal and will provide instructions for signing up for the program.
ID TheftSmart allows individuals to continuously monitor their credit files. The service investigates potential identity theft cases and can help victims restore their identities if a data theft occurs.
In a statement, Rick Cagen, CEO of Providence Health System's Portland Service Area, said the company turned to Kroll because "we have heard from patients that the process to notify the credit agencies can be difficult, and we appreciate the time they have spent as a result of the theft."
The Oregon attorney general's office is investigating the data-theft incident. A spokesman for the office could not be reached for comment.
The incident took place on Dec. 31 after an IT worker at Providence Home Services took backup tapes and disks home in his car as part of the division's backup protocol. The disks and tapes were stolen from the car that night.
Providence Home Services has since discontinued that backup procedure and brought in more traditional means of protecting data.
Some of the data on the tapes was password-protected at the application level, while the rest was stored in proprietary file formats without password protection. After the incident, the company added more security technologies, including encryption.
The information on the disks and tapes included names, addresses, dates of birth, physicians' names, insurance data, diagnoses, prescriptions and some lab results. Social Security numbers were included with the records of about 250,000 of the patients, according to the health system. Some of the records also included patient financial information, it said.
Providence said it has received no verified reports that the stolen data has been used illegally.