That can be true for health-care providers as well.
In January, Henry Schein Practice Solutions, which is the leading provider of office management software for dental practices, agreed to pay $250,000 to settle charges from the Federal Trade Commission that it "falsely advertised the level of encryption it provided to protect patient data," according to the FTC.
The agency had alleged that Henry Schein had marketed a software product, Dentrix G5, "with deceptive claims that software provided industry-standard encryption of patient information," the FTC said.
"Strong encryption is critical for companies dealing with sensitive health information," said Jessica Rich, director of the FTC's Bureau of Consumer Protection, when the settlement was announced. "If a company promises strong encryption, it should deliver it."
In a statement to CNBC, Henry Schein spokesman Gerard Meuchner said the company admitted no wrongdoing in the case, and that it agreed to the settlement "to avoid long and costly litigation." He also said that "we had a disagreement with the FTC about how we used the word encrypted" in marketing from 2012 until early 2014, "but we want to assure our customers that our product works, and works well."
Mark Hollis, CEO of MacPractice, a medical management software company, said the Henry Schein case underscores a risk that health providers run in trusting the word of vendors that their software will adequately encrypt patient data, as is required under the law.
"A patient and a provider cannot assume, should not assume without evidence of some kind that patient data is being protected" by a piece of software, Hollis said.
In December, Alliance Health Networks in Utah notified more than 40,000 customers that a database containing information about them had been accessed from an outside party.
Brian Watkins, a spokesman for Alliance Health Networks, told CNBC that a "white-hat hacker" contacted the company, which specializes in health-focused social networks and a prescription drug program, and alerted it to the fact that he had accessed "a test database containing customer information [that] had inadvertently been left accessible via the Internet." No Social Security numbers, credit card numbers, or banking information was contained in the database.
The breach, the first in Alliance Health Networks' history, led the company to enhance its security measures, extensively audit all of its databases to prevent further such breaches and to hire an external forensic security company, according to Watkins. The breach prompted some customers "to have their names permanently removed from our database," he said.
Hollis of MacPractice noted that under the law currently, patient health data must be encrypted if it's being held in electronic form, whether that data is "at rest," such as on a computer hard drive or server, or "in motion," when it is being transmitted via email or by other means to another party.
Asked what the industry compliance rate is for that standard, he said, "No one knows."
Hollis said "my suggestion would be to patients is that they begin to ask that question, if their data is secure ... 'Before I give you my data, what are you doing to protect it?' It's not an unreasonable request."
"Patients don't understand they have to have that information, and they have a right to know that their doctor is protecting their data," he said.