Rob Rogers reports:
OrthoMontana is scrambling to warn current and past patients that their personal information may be on a laptop computer that was recently stolen from the company.
The Billings orthopedic and sports medicine practice has sent letters across the city to those who may have been impacted.
[…]
The laptop was heavily encrypted — two sets of user names and passwords plus a “biometric finger scan” was required to access its files, he said.
Read more in the Billings Gazette.
It’s nice to see a stolen laptop that actually had more than just a user/pass to access and this may give the practice safe harbor in terms reporting the incident to HHS. We’ll have to wait to see if it is reported to them. There is no statement on the OrthoMontana site at this time.
Update: Thanks to Rebecca Herold, who explained to me that even if the laptop was encrypted (and it’s not clear that two user/passwords is encryption), OrthoMontana would still be required to notify if the encryption they used does not meet NIST minimum encryption standards. This article by Rebecca from 2009 explains it nicely.
Update 2: See the note on the report to HHS, here.