Most (even small) practices I have seen do have a small network. What about the scenario where theres a server but theres a huuuge giant lock on the door so the theif breaks into the doctors office and uses a boot cd aproach on the workstation. If the data was stored on the server then even if the local machine was compromised the server would still be able to log the file access. Of course the problem with this scenario is if its an outlook style contacts list i dont think it would be stored on the server. Although with it being in a medical establishment its possible they would use bespoke/specialist software to store the patients details and contacts etc could be a part of that.