Regardless, an additional 860,000 current and former members of AvMed are being notified that their personal information is at risk due to the apparent theft of two laptops, which went missing from a locked conference room at AvMed Health Plans’ Gainsville office back on December 11.

AvMed once again mentions that there is no evidence of any malicious use of the data, which is normal, and that they are “strengthening data security and procedures.” Thanks to Redemtech for the heads up on the article.

But what is curious is that the laptop “had safeguards to protect sensitive information, including strong password protection and encryption.” Even still, the company is offering free credit monitoring.

No report of the number of victims has been given.

The response to the “breach” makes one wonder if there’s more to the story. Was the encryption not properly applied (very common)? Did the employee tape a handwritten plain-text passphrase note onto the palm rest (it happens–that’s why MyLaptopGPS offers Remote Decryption Kill)? Tough to say, and it’s all speculation. Something just seems odd about the reports and the response.

We will have to see if it shows up on the HHS Hall of Shame or not.

First, the San Francisco Business Times reports that UC San Francisco reported a laptop theft that occurred on our about November 30, breaching 4,400 patients of the UCSF School of Medicine. The data included names, medical record numbers, age and clinical information, but not Social Security Numbers.

And, all to commonly, the data records were not encrypted.

The article also refers to tougher federal regulations and penalties that could be involved, including up to $1.5 million in fines for privacy violations–all the more reason to take proper precautions before it’s too late. Thanks to kirniki for the tip.

In the second case, our headliner for the week, ABC 13 reports that Methodist Hospital in Houston had a breach when a thief stole a laptop attached to a medical device that tests pulmonary function. The laptop contained private health information and Social Security Numbers for for 689 people and, again, was not encrypted or, apparently, otherwise protected. Thanks again to kirniki for the tip.

Says the hospital: “We are truly sorry if we have caused any stress or problems for the patients affected by this. We have offered them one year free subscription for credit monitoring and identity theft protection.”

Such a breach does indeed put the victims–those of us with data that was compromised due to no fault of our own–in a tough spot. It places burden and stress. Just read the comments of readers on the article itself, for some stark examples. Credit monitoring and ID Theft Protection can help to at least detect problems early, but it’s much better to mitigate problems before they occur, which is why we continue to trumpet that call: buckle that safety belt before driving down the road.

The data were breached on a stolen computer, though the article doesn’t make clear whether the machine was a laptop or a desktop. In any case, it was:

1. Unencrypted
2. Not trackable
3. Not SafeTagged

Surprised?

Additionally, “an additional 22,500 students are being notified that their names and test scores may have also been on the computer. No Social Security numbers were recorded with those names, but computer-generated student ID numbers may have been.”

Security matters.