Soraya Balzac, a Medco spokeswoman, Wednesday confirmed that the data on the laptop was not encrypted but said that the laptop itself required a password for user log-on. The company has since changed its procedures and is now encrypting such data for state workers, she said. "Whether this specific incident prompted that, I couldn't confirm that," Balzac said. "We have moved to [encryption] in transit since then."

Balzac said the Medco worker had permission to have the data and the laptop off-site, but she would not describe where the laptop was when it was stolen. The six-week delay in notifying the state of the theft was necessary because the incident was under investigation by local police in New Jersey and a complete log of the stolen data had to be created so it could be reported, she said.

"It did take time," Balzac said. "Medco takes this extremely seriously."

Balzac said the company is reviewing its response procedures for the future. "You're as efficient as the lessons learned in the last scenario," she said.