[danielweber]

> most IT-workers at those institutions tend to just mail all details they feel are relevant to the issue

Not necessarily disbelieving you, but why do you say this? Every place I've worked or contracted at with PII, I've had to sit through training about not doing this, and management provided tools for proper handling.

I don't mean to say that because there are policies that no one ever breaks them. I've also encountered places where what was encouraged on the ground was different than what was listed in policy.

[Freak_NL]

I work for a SaaS vendor of health care record software. From what I have seen care institutions (as opposed to hospitals) do not have the experience or staff in-house to facilitate proper security procedures. The problem as I see it lies not in the routine operations that have a high degree of visibility in the organisation and tend to have strict policies surrounding them because they are anticipated, but in the exceptions, such as key users or the IT support responsible for the service they use reporting issues to the vendor.