[Freak_NL]

This happens more than you think, although not usually at this scale and this high up in the chain. When a care institution needs to communicate with one of their vendors handling health records about a problem with a specific person's record, most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue without even considering encryption or the necessity of sending all that data over the wire.

The use of physical post here was probably a good thing all things considered! They could just as easy have used WeTransfer or some other cloud solution — when it comes to security best practices people are very good at downplaying the potential risk, even when legislation does acknowledge it and forbids such treatment of sensitive personal information.

[danielweber]

> most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue

Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.

I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.

[Freak_NL]

I work for a SaaS vendor of health care record software. From what I have seen care institutions (as opposed to hospitals) do not have the experience or staff in-house to facilitate proper security procedures. The problem as I see it lies not in the routine operations that have a high degree of visibility in the organisation and tend to have strict policies surrounding them because they are anticipated, but in the exceptions, such as key users or the IT support responsible for the service they use reporting issues to the vendor.