Ah, but axcrypt isnt "approved" you know.
What then, you ask? Winzip + password... I kid you not, for a (short) while this was classed as "encryption" for medical data in my country and these files could be sent over the internet...
I work in health IT and the current mandatory way to report activity to the govt. here is by CD.
One CD containing anonymous key + care record data, one CD containing the key + personal ID-mapping in separate registered mail parcels.
Oh and leaks. I really don't think the amount of leaks have increased very much. But I belive reporting has gotten better, and the leaks are "larger" affecting more patients at a time. Leaks occured with paper records as well, and then the information was truly _lost_ instead of just copied. One hospital I know of used to have 17 secretaries whose job it was to run around the hospital hunting for paper records checked out from archives in order to return them. Needless to say they didn't have a 100% success rate...
Now hospitals are starting to deploy data loss prevention packages (yes, starting...) so they get an idea of what's actually going on in their networks.
These packages are usually set to "logging only" or "quarantine/confirm" and not "deny". This is because there are some rare circumstances where sending data in plaintext might save a life, there are quite a few false positives, and because hospital boards listen more to irate doctors than to IT staff.
I belive this will change when we get a bloody stardard implemented for sharing these data with other health care institutions and for reporting activity to the govt. Then we _might_ be able to turn off all permissions for removable media at any PC with access to sensitive data and set the DLP-packages to deny all outbound to the internet.