This is one of those breach reports that stumps me every time. Keith Edwards reports for WQOW:
Hundreds of western Wisconsin patients are warned their medical and personal information may have been compromised.
The Lakeview Medical Center in Rice Lake says a laptop computer was stolen from a car belonging to one of its nurses. The computer contained information about more than 500 patients of its homecare and hospice programs. That includes names, social security numbers, date of birth, home addresses, medicare ID numbers and diagnosis information.
The hospital says it believes the risk of identity theft is very low, because the computer is password protected and the files are encrypted. Even so, all of the patients received letters this week informing them of the incident. The hospital is also offering to pay for one year of credit report monitoring services that specialize in identity theft cases.
The nurse who was involved no longer works at the facility, and the hospital says it is taking steps to prevent any similar incidents in the future.
So if they were conscientious enough to use encryption, was it NIST-grade? If so, they had an exemption or safe harbor and there’s no need to notify or provide credit monitoring. And if it wasn’t NIST-grade, then I wonder why they didn’t take it to that level and avoid the costs of breach notification and monitoring.