it's just the description of a new problem, or of a new level to an existing problem.
If separation of data from device isn't the solution, if encryption isn't the solution, if strong passwords aren't the solution, what is? What's a CISO to do about this?
Is it like being mugged for your bank PIN except there's no daily limit on your withdrawls (esp if you're a systems admin)? Maybe, like being mugged for your bank PIN, there IS ultimately nothing that can be done to totally prevent it, and it will continue to be a real and active concern but a relatively rare occurrence?
I'd suspect more muggings are, and will continue to be, done for bank PINs, cash and jewellery than for health and other info.