‘Terrific Employee’ Fired After Losing USB Drive Containing Medical Records

A Maine-based company announced Thursday it fired an otherwise exemplary employee who dowloaded medical data onto a jump drive and then lost the device while traveling between Salt Lake City, Denver and Washington, D.C.

A Maine-based company announced Thursday it fired an otherwise exemplary employee who dowloaded medical data onto a jump drive and then lost the device while traveling between Salt Lake City, Denver and Washington, D.C.

The unidentified woman’s termination follows yesterday’s disclosure of a data breach affecting 6,000 Medicaid recipients in Utah. Jim Clair, CEO of the Goold Health Systems, told The Salt Lake Tribune the contractor had difficulty downloading a patient report and decided to use the portable device, which is against the company’s and the Utah Health Department’s policies. She lost the device sometime last week.

“She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account,” said Clair. “But [the breach] is that serious to us.”

The unencrypted, lost data included Medicaid recipient’s names, ID numbers, age and recent prescription use. It did not contain Social Security numbers or financial data that would raise the risk of identity theft or fraud.

The breach also pales in comparison to one last March at the Utah Department of Health in which cybercriminals took advantage of an authentication misconfiguration to break into the state department’s servers and steal 280,000 records holding Social Security numbers and another 500,000 with less sensitive personal data.

Those impacted also included Medicaid recipients as well as anyone who had visited a health care provider four months prior that prompted a query to see if they were eligible for the federal and state program.

This week the state’s Medicaid director said there was minimal risk the stolen data would lead to identity theft. The health department’s executive director said the agency was reviewing Goold Health Systems’ contract to explore all financial and contractual remedies.

Goold’s CEO said the employee likely didn’t realize she had violated policy when she downloaded data onto the jump drive. Nor that the information, if ever discovered, would be used maliciously.

“It could be sitting in the trash somewhere and eventually destroyed,” Clair said. “But it should have never happened in the first place.”

Suggested articles

Discussion

  • Andy Willingham on

    Personally I'm glad to see a company taking something such as this so seriously. Of course I feel bad for the woman who lost her job but as long as companies are lax on the consequences of violating policy then no one will take policies seriously. Not only that but it has to be a top down thing. If the Execs get a "get out of jail free" card then employees will be less likely to follow policy and will also file complaints with the labor board if/when they receive negative consequences.

  • Michael Francis on

    (disclaimer - I work for Vigilant Software)

    This once again hammers home the need (and possible pitfalls if you don't) to carry out a proper, thorough and auditable risk assessment of all your company's assets and put in place the necessary controls to combat the threats and vulnerabilities. Doing all this in a way that complies with ISO27001 would be advantageous too.

  • Anonymous on

    You'd think there'd be a way for IT to require any usb devices to be automatically encrypted....

  • Jeremy on

    I bet I know where it ends up!  I just did a small project on recovering data from flash drives lost at airports and you might be suprised at all the stuff I found.  Short blog post here: sudosecure.com/the-data-you-left-behind-part-1/

  • Chet on

    Anonymous said: "You'd think there'd be a way for IT to require any usb devices to be automatically encrypted...."

    There is.  It's a pain to set up and has to be done exactly right.  But if done right, you cannot save any data to a USB device unless it's encrypted.

  • T on

    Data Loss Prevention systems are relatively easy to put in place. They prevent unauthorised portable devices from being attached to any of the organisations PCs. Access can then be granted on a 'case by case' use, thus controlling who can do what on your network. We use a system like this and team it up with SafeSticks which provide the encryption and end-point management such as remote wipe etc. You can even specify what type of file each user is allowed to put onto the sticks. There's no excuse these days really to put in a system like this, but as always it comes down to user awareness. You can spend all the money you like on the tech, but if you don't educate your staff, you're screwed.

  • Samuel H. Dighan on

    The lesson: never use a thumb drive for data transport. Why do people insist on carrying data when we have almost ubiquitous internet access?  Place it in your corporate email/cloud/sharepoint and never worry.  Plus, when you get hit by that crosstown bus - they can still find your files.  The only data I carry is credentials to access my data and those credentials are definitely encrypted.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.