In a “domestic burglary”, the personal information on 9000 students was stolen from a city counselman’s home.
What was done right?
The hard drive on the stolen laptop was encrypted.
What was done wrong?
“data stored on the CD ROMs and memory sticks included Surname, Forename, Gender, Date of Birth, Address, Postcode, Phone number, UPN (a unique identification number), Ethnicity, free school meals eligibility, in-care indicator, Language, gifted and talented indicator, mode of travel to school, entry date to school, special educational needs indicator, school, attainment data for English, Maths and Science at end of years 6 and 9, attendance rate.”
None of this was encrypted.
Why was this in his home?
How does this apply to your office?
Ask youself, should any PHI ever be in an employees house?
Should any PHI ever be on a device that leaves the office?
The method we most often see this is when an office sends the server backup drive home with an emplyee to be considered “off site” backup.
Hopefully nobody else is doing this, but this is a big mistake.