A Maine-based company announced Thursday it fired an otherwise exemplary employee who dowloaded medical data onto a jump drive and then lost the device while traveling between Salt Lake City, Denver and Washington, D.C.
The unidentified woman’s termination follows yesterday’s disclosure of a data breach affecting 6,000 Medicaid recipients in Utah. Jim Clair, CEO of the Goold Health Systems, told The Salt Lake Tribune the contractor had difficulty downloading a patient report and decided to use the portable device, which is against the company’s and the Utah Health Department’s policies. She lost the device sometime last week.
“She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account,” said Clair. “But [the breach] is that serious to us.”
The unencrypted, lost data included Medicaid recipient’s names, ID numbers, age and recent prescription use. It did not contain Social Security numbers or financial data that would raise the risk of identity theft or fraud.
The breach also pales in comparison to one last March at the Utah Department of Health in which cybercriminals took advantage of an authentication misconfiguration to break into the state department’s servers and steal 280,000 records holding Social Security numbers and another 500,000 with less sensitive personal data.
Those impacted also included Medicaid recipients as well as anyone who had visited a health care provider four months prior that prompted a query to see if they were eligible for the federal and state program.
This week the state’s Medicaid director said there was minimal risk the stolen data would lead to identity theft. The health department’s executive director said the agency was reviewing Goold Health Systems’ contract to explore all financial and contractual remedies.
Goold’s CEO said the employee likely didn’t realize she had violated policy when she downloaded data onto the jump drive. Nor that the information, if ever discovered, would be used maliciously.
“It could be sitting in the trash somewhere and eventually destroyed,” Clair said. “But it should have never happened in the first place.”