It's pretty easy to blame Affiliated Computer Systems - the vendor responsible for maintaining healthcare claims for the state of Georgia - for the lost backup tape containing the personal information of 2.9 million residents of the Peach State.
After all, the contractor was responsible for the tapes when they were lost somewhere between Georgia and Maryland.
(I got lost somewhere between Georgia and Maryland once during my college days several years back. Long story short, I blame Mapquest and a bartender who egregiously overserved me the prior evening).
Anyway - back to the case at hand. Let's assume that because news of the lost tapes got reported, the data wasn't encrypted. But it would have been if the Georgia Department of Community Health had required the data be encrypted in its service-level agreements with Affiliated Computer System. I mean, duh.
But what if the health department never thought to have the data encrypted?
Well then that speaks to poor policies within the agency. State departments must know their assets, classify them, and be sure the most sensitive information is secured. Encryption isn't the silver bullet; sound policies are.
Sure, Affiliated Computer Systems may be technically at fault, but the real burden rests on organizations doing the outsourcing.