A Maine-based company announced Thursday it fired an otherwise exemplary employee who dowloaded medical data onto a jump drive and then lost the device while traveling between Salt Lake City, Denver and Washington, D.C.
The unidentified woman’s termination follows yesterday’s disclosure of a data breach affecting 6,000 Medicaid recipients in Utah. Jim Clair, CEO of the Goold Health Systems, told The Salt Lake Tribune the contractor had difficulty downloading a patient report and decided to use the portable device, which is against the company’s and the Utah Health Department’s policies. She lost the device sometime last week.
“She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account,” said Clair. “But [the breach] is that serious to us.”
The unencrypted, lost data included Medicaid recipient’s names, ID numbers, age and recent prescription use. It did not contain Social Security numbers or financial data that would raise the risk of identity theft or fraud.
The breach also pales in comparison to one last March at the Utah Department of Health in which cybercriminals took advantage of an authentication misconfiguration to break into the state department’s servers and steal 280,000 records holding Social Security numbers and another 500,000 with less sensitive personal data.
Those impacted also included Medicaid recipients as well as anyone who had visited a health care provider four months prior that prompted a query to see if they were eligible for the federal and state program.
This week the state’s Medicaid director said there was minimal risk the stolen data would lead to identity theft. The health department’s executive director said the agency was reviewing Goold Health Systems’ contract to explore all financial and contractual remedies.
Goold’s CEO said the employee likely didn’t realize she had violated policy when she downloaded data onto the jump drive. Nor that the information, if ever discovered, would be used maliciously.
“It could be sitting in the trash somewhere and eventually destroyed,” Clair said. “But it should have never happened in the first place.”
Personally I’m glad to see a company taking something such as this so seriously. Of course I feel bad for the woman who lost her job but as long as companies are lax on the consequences of violating policy then no one will take policies seriously. Not only that but it has to be a top down thing. If the Execs get a “get out of jail free” card then employees will be less likely to follow policy and will also file complaints with the labor board if/when they receive negative consequences.
(disclaimer – I work for Vigilant Software)
This once again hammers home the need (and possible pitfalls if you don’t) to carry out a proper, thorough and auditable risk assessment of all your company’s assets and put in place the necessary controls to combat the threats and vulnerabilities. Doing all this in a way that complies with ISO27001 would be advantageous too.
You’d think there’d be a way for IT to require any usb devices to be automatically encrypted….
I bet I know where it ends up! I just did a small project on recovering data from flash drives lost at airports and you might be suprised at all the stuff I found. Short blog post here: sudosecure.com/the-data-you-left-behind-part-1/
Anonymous said: “You’d think there’d be a way for IT to require any usb devices to be automatically encrypted….”
There is. It’s a pain to set up and has to be done exactly right. But if done right, you cannot save any data to a USB device unless it’s encrypted.
Data Loss Prevention systems are relatively easy to put in place. They prevent unauthorised portable devices from being attached to any of the organisations PCs. Access can then be granted on a ‘case by case’ use, thus controlling who can do what on your network. We use a system like this and team it up with SafeSticks which provide the encryption and end-point management such as remote wipe etc. You can even specify what type of file each user is allowed to put onto the sticks. There’s no excuse these days really to put in a system like this, but as always it comes down to user awareness. You can spend all the money you like on the tech, but if you don’t educate your staff, you’re screwed.
The lesson: never use a thumb drive for data transport. Why do people insist on carrying data when we have almost ubiquitous internet access? Place it in your corporate email/cloud/sharepoint and never worry. Plus, when you get hit by that crosstown bus – they can still find your files. The only data I carry is credentials to access my data and those credentials are definitely encrypted.
McAfee, Trend, Symantec, Imation all have tools that can enforce encryption on any storage device, including CD/DVD. The big questions are: 1) why hasn’t the company implemented device control or DLP; 2) why did the associate not know she was breaking policy? What training programs do they have to make employees aware of policy?
I think that firing the employee for management’s failure to provide proper training is the real problem. We should not hold people accountable for things they are not informed of.
Granted, there should be some process, but this punishment did not fit the crime.
Anyone who has attempted implementation of encryption in a good sized business will understand the complexity and challenges that those tools represent.