I don't think the issue is taking care of the employer owned asset of the machine itself, but of the
customer-owned data.
It's not mentioned in this article whether or not the hospital had an encryption policy (one would assume that they'd at least have some form of security policy, though).
Should the laptop have been encrypted? Duh.
Should the employee have NOT stored EPHI on the unencrypted laptop? Double Duh.
As Jamie Cowper of PGP is quoted in the article:
"Technologies such as encryption should be implemented and managed on an enterprise-wide basis, not left up to the individual. Unless there is evidence of grievous misconduct, the responsibility for data security should lie with the organisation as a whole – and that means that in cases such as this, punishment should be top-down rather than bottom-up."
However, I do see it as a step in the right direction. Seems to me that there is more than one party at fault here. It sucks that this one person had to be the fall guy, but with any luck he'll hire a good lawyer who can take the case and make a greater precedent. i.e. "Should my client have been dismissed from his possition when there was no enterprise policy to protect the data in the first place?"
Jimbob's got it right...there is NO reason for this data to be on a manager's laptop (should he even NEED a laptop anyway), but it is the responsibility of upper management, the board, and us security geeks to see to it that this doesn't happen in the first place.