The redOrbit story shows a continuing trend in breach notification — it is all about encryption:
A laptop containing confidential information about 11,000 patients has been stolen from a Midland GP’s home.
Contrary to Department of Health guidelines, the information was not encrypted, which would have made it unreadable without a special code to unscramble it.
Shame, shame. Will we have to start monitoring for data written to a non-encrypted space? Wait a minute, why is there any non-encrypted space on a GP’s laptop? Does not compute.
The laptop was among items stolen in a recent burglary at the home of the unnamed doctor, who works at the Castlecroft Medical Practice in Wolverhampton.
I am certain the authorities will not release his name because that would be like giving away his identity information. At least they are careful about that, but what if they had a policy where they did the opposite and subjected people who lost information to similar treatment…? Too malicious? Cruel? Yes, I know. Monty Python comes to mind.
The information on the computer, which belongs to the practice, included patients’ names, dates of birth, addresses, contact details and confidential medical records. The practice has written to all of its 11,000 patients to inform them that information about them was on the stolen computer.
Dr Peter Wagstaff, senior partner at the practice, said: “The practice is treating this issue very seriously and we are extremely sorry for any distress or concern that it may cause our patients.
“Though not encrypted, the confidential information on the laptop was protected by a complex password system, which only a person with specialist computer knowledge would be able to crack.”
Wonder why the practice did not notice the gap in encryption. Complex password or a complex system? I have a strange feeling that the system might be complex, but the password was not.