We are seeing this way too often.
Our Lady of Peace, a psychiatric hospital in Louisville, KY is in the middle of a painful and embarrassing process.
A flash drive was lost that:
… contained unencrypted data on patients admitted since 2002 and patients assessed, but never admitted, since 2009. Data on admitted patients included name, room number, insurer name, and admission and discharge dates. It did not include diagnoses or treatments, Social Security number, date of birth, telephone numbers or address.
Data on assessed patients included name, date of assessment, date of birth and the time they left the hospital. It did not include diagnoses or treatments, Social Security numbers, telephone numbers, address or insurance information.
My first reaction to this is: why would anybody put that kind of data on a flash drive?
Any office or hospital will have a tough time justifying to me that this makes any sense.
OK, if the world is going to end if you can’t use a flash drive with this sensitive data on it, then you MUST have the flash drive encrypted.
Had this been the case, this incident would not be an issue.