This Rip of the Week is truly astounding. Or, perhaps not really, since we’ve seen this same sort of thing time after time.

American Medical News reports that BlueCross BlueShield Association employee’s laptop was stolen. No surprise there (remember, every 12 seconds?). The laptop had the personally-identifying information (PII) of about 850,000 doctors–every physician in the USA contracted with a Blues-affiliated insurance plan, all completely unencrypted. Now that is a biggie. But still not really a surprise.

What is interesting, albeit nothing even remotely unusual, is that BCBS has company policies that prohibit this data from being transferred or stored in the manner it was in this case.

They have a “rule” that says you can’t do it.

But, yet again, we see that employees love to break rules. And now 850,000 physicians get to suffer the consequences because this data wasn’t encrypted, and the laptop was trackable, nor (apparently) is there any remote deletion capability.

I am reminded of the recent Ponemon Institute report that revealed this very pandemic–company policies are good, are necessary, yet also really accomplish nothing when it comes to true security. They allow people to be cleanly fired. Technology is what protects data. Encrypt it, track it, delete it, recover it!