Now this is refreshingly transparent:
A password-protected laptop was stolen from a Longwood Management employee’s vehicle on February 11, 2015 (no, that’s not the refreshing part, obviously). Investigation revealed that encryption was deployed on the laptop, but “the encryption may not have been sufficient to prevent access by someone with the knowledge or skills to exploit vulnerabilities.”
I don’t think I’ve ever quite seen a statement like that in a breach notification letter before.
You can read their full notification here (pdf). Because the laptop stored names, Social Security numbers, positions, and facility locations, those impacted were offered services with Experian ProtectMyID.