I don’t recall ever seeing an actual statistic as to how often laptops are stolen from locked offices after hours, but I wonder if we’ve done enough to get the word out to covered entities that it might be better to rely on encryption than to rely on the physical security of the office premises.
Family Health Enterprise in Atlanta might serve as a useful example of the problem. On February 11, they issued a notice that states, in part:
Women’s Health Enterprise, Inc., d/b/a Family Health Enterprise (FHE), a non-profit primary care services provider, notifies approximately 3000 patients of FHE’s Breast Health Promotion Program of a breach of unsecured personal medical information. On January 2, 2013, FHE’s locked office at 634 McDonough Blvd SE in Atlanta, Georgia was broken into after business hours, and 2 laptop computers were stolen. FHE immediately notified local police.
Certain of FHE’s Breast Health Promotion Program patients’ medical information was stored on the stolen laptops, including names, Social Security Numbers, addresses, dates of birth, and clinical information. FHE has no knowledge that the individual(s) responsible for the theft or others have accessed and obtained such personal information from the laptops. Nonetheless, the notice that FHE has sent to affected patients includes detailed information about identity theft protection, including precautions to minimize the risk of inappropriate use of the information.
The incident was also reported to HHS, who added it to their breach tool.