Stolen Davita laptop with dialysis patient data at risk

Did anyone hear anything about this - did a letter go out earlier this month? Who or what is OVA Renal Healthcare, Inc. ?

This is from the Breach Blog http://breachblog.com/2008/03/06/davita.aspx the blog's author's comments [Evan] are in italics

Date Reported:
3/3/08

Organization:
Davita*

*"DaVita provides dialysis services for those diagnosed with chronic kidney failure, a condition also known as chronic kidney disease (CKD). We have over 1,300 outpatient dialysis facilities and acute units in over 800 hospitals. We are located in 42 states and the District of Columbia, serving approximately 103,000 patients." - Source: Davita "About Davita" page

Contractor/Consultant/Branch:
None

Victims:
Current and/or former patients

Number Affected:
Unknown

Types of Data:
Insurance filings for dialysis services, which includes "name, social security number, medical insurance coverage information, and/or other personal and health related information"

Breach Description:
A laptop containing sensitive personal information belonging to current and former patients of Davita has been stolen from a worker for the company. The laptop was password-protected, but did not employ encryption.

Reference URL:
The New Hampshire State Attorney General breach notification http://doj.nh.gov/consumer/pdf/davita.pdf

Report Credit:
The New Hampshire State Attorney General

Response:
From the online source cited above:

March 3, 2008
New Hampshire Department of Consumer Affairs
Attn: Consumer Protection
33 Capitol Street
Concord, NH 03301
Dear Sir:
The purpose of this letter is to notify the New Hampshire Department of Consumer Affairs that OVA Renal
Healthcare, Inc. ("Company") recently discovered that it sustained a loss of personal information
[Evan] I copied this from the breach notification letter because there are some interesting points. I don't think there is a "New Hampshire Department of Consumer Affairs", per se. The New Hampshire Department of Justice handles these matters. Secondly, the letter starts out with "Dear Sir". The New Hampshire State Attorney General is Kelly A. Ayotte, a woman.

Dear ______________
On behalf of your dialysis provider, we are writing to inform you of a recent incident which may have resulted in the unauthorized acquisition of your personal information.

Recently, a teammate's laptop was stolen.

Although the laptop is password protected, the hard drive contains --along with numerous other non-related documents -documents involving insurance filings for dialysis services.
[Evan] #1, password protection is little more than no protection. #2, why do I care about the non-related documents?

The documents may contain your name, social security number, medical insurance coverage information, and/or other personal and health related information.

The theft was immediately reported to the proper legal authorities.

While law enforcement officials estimate that over two million laptops are stolen annually for resale, we suggest you take all necessary proactive steps to protect against the possibility of identity theft.
[Evan] In my opinion this is a statement meant to minimize the situation. Maybe there are over two million laptops stolen annually for resale, but if I were a victim, the only laptop I care about right now if the one that was just stolen from Davita that has my poorly protected information on it!

We take privacy very seriously, and sincerely apologize that information was compromised resulting from this theft.
[Evan] Anybody can say that they take privacy very seriously, but let's put our money where our mouth is and demonstrate this claim. Why was personal information on the laptop in the first place, and why wasn't the laptop encrypted?

While we remain hopeful that this theft was merely a petty crime looking for things of value, we felt that outreach to you was warranted.
[Evan] Hope only goes so far.

We are taking extra precautions to minimize the chance of this happening in the future.
[Evan] Like?

If you have any questions, please contact DaVita's Guest Services Customer Center at 1-866-987-7454.

Please note that you may be asked to provide the following reference code: TQO208.

Commentary:
Another lost or stolen laptop containing sensitive personal information that did not employ a minimum level of protection (in my opinion).

Do you think I am being too harsh in comments? Don't collect personal information unless you can provide a "reasonable" level of security assurance. Storing personal information on a laptop without encryption or other controls and relying on password protection is not "reasonable" to me.