There was no press release on this one, but the UK’s ICO had HCA International Limited sign an undertaking following the theft of two unencrypted laptops from a hospital in March. According to the statement:
The Information Commissioner (the ‘Commissioner’) was provided with a report of the theft, in March 2011, of two unencrypted laptops containing sensitive personal data relating to patients of the Harley Street Clinic, one of the data controller’s hospitals. The laptops were kept in a locked room in the administrative and laboratory area at the hospital, but the key to this room was kept on a hook on the inside of the door to the next office, which was not normally locked as it contained a fire escape. In addition, at the time of the theft, the door to the corridor used to access these rooms was kept ‘on the latch’ during the day, potentially allowing unauthorised access to the area.
The Commissioner’s enquiries revealed that the devices, which were used for specific cancer treatments, contained custom software and neither would be covered under the supplier’s warranty if encryption or other software were added. Subsequently, the data controller has encrypted the replacement laptops and made further improvements to physical security at the premises.