No mention was made of the data being encrypted or non-encrypted. Any PHI that leaves the clinic, hospital, or other organization MUST be encrypted to make the PHI meaningless to a thief.

Anderson's ISP (Information Security Policy) is lax and should be completely overhauled to be HIPAA-compliant. With increasing numbers of laptop computers and other mobile devices being used by providers because of convenience, health care organizations are also increasing their risks for allowing PHI breaches and being fined by HHS Office of Civil Rights.

Dozens of online resources on preventing breaches can be easily found, such as "13 Security Tips to Combat Mobile Device Threats to Healthcare."

http://www2.idexpertscorp.com/assets/uploads/IDE_Risks_Experts_Weigh_In_FINAL.pdf