Maryland-based HomeCall Inc. recently notified the Maryland Attorney General’s Office that an employee’s portable point-of-care device was stolen. The device contained names, addresses, SSN, medical record number, diagnoses, and treatment information. HomeCall reports that the device was “multi-level password protected” (but not encrypted). In correspondence to those affected, HomeCall stated that the device required a user/pass to login and then a second user/pass to access the program containing the patients’ electronic medical records. Eleven Maryland residents were notified of the breach and the company subsequently encrypted all portable devices.
What a pity that so many entities wait until after they’ve had a breach to encrypt. After all this time, is there really still any excuse not to either have encrypted sensitive data on devices or have implemented some equally effective security?