Sophos Cloud Optix
A woman called a “terrific employee” by her boss was fired after downloading 6,000 medical records onto a USB drive that she then lost.
The Salt Lake Tribune reports that the woman – an account manager handling Medicaid data for residents of Utah, in the US – was shown the door after losing the portable drive earlier this month.
Jim Clair, the CEO of her now-former employer, Goold Data Systems, of Maine, said it was all pretty regrettable:
"She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account... But [the data loss] is that serious to us."
Goold Data Systems manages pharmacy claims for several states’ Medicaid programs.
Contrary to company policy, the woman had downloaded a file containing names, ages and prescription information for 6,000 Utah Medicaid recipients onto a USB memory stick.
Then, earlier this month, somewhere between Salt Lake City, Denver and Washington, D.C., the woman lost the device.
Of course, companies should take such matters seriously, but they should do more than write policies that employees might be completely oblivious about.
Here’s the thing: the employee probably didn’t even realize that putting a file onto a thumb drive was against company policy, as CEO Clair told the Salt Lake Tribune.
She had difficulty uploading a file ordered by the Utah Department of Health, so she just found it easier to pop it onto a thumb drive, he said.
So is the incident really her fault?
There are readily available technologies that prevent copying of unencrypted sensitive files (or any files at all) onto USB drives.
Having a company policy against USB drive usage, or USB drives leaving the facilities, is insufficient – perhaps even a bit on the lax side, given that it’s technologically feasible to stop these things.
Clair admits that the information on the drive may never wind up being compromised. It did not, in fact, contain Social Security numbers, which would have opened up the door much wider for identity theft.
“It could be sitting in the trash somewhere and eventually destroyed,” Clair said. “But it should have never happened in the first place.”
He’s right. It should never have happened in the first place.
And if Goold, and other businesses, did a bit of work beyond writing policy, they could ensure it doesn’t.
As Sophos’s Paul Ducklin said back when police were fined over a stolen, unencrypted USB drive, encrypt everything, and you never have to worry about the stuff you didn’t encrypt.
Lost USB and woman with USB images courtesy of Shutterstock
She knowingly VIOLATED policy.
Doesnt matter how good of an employee she was if she will knowingly violate policy JUST because it is easier to do.
Your whole story was making up excuses for this lady and then you toss in that there was more the company could do.
So in your would if your an excellent employee you should get carte blanche when it comes to horrendous mistakes in judgement??
Show up late everyday but your an excellent employee and it is ok?
Dont bother showing up for work for a week but it is ok because your an outstanding employee??
She was responsible for her getting fired, not the company.
They wrote down what rules they expected their employees to follow and I bet they wrote down what would happen if they didnt.
Sure the company should have locked out the USB and should have encrypted the files and should have had separate keys and on and on but it does NOT absolve the lady 1 bit.
Guarantee that the policy was vague and that the staff didn't receive adequate training. An expectation of knowledge is not the same as the employee receiving the policy and being trained on it. Unless the employee signed a systems policy letter and the policy is well stated and clear, the company will end up settling to resolve it. A good lawyer will walk all over this, determine that the company was responsible for not publishing and clearly stating a written policy and the company will establish legally infallible policy to address the issue. They will either have to rehire her or pay her damages, most likely damages since a precedence was set for making an employee culpable for lack of adequate procedure.
A judge once told me, "Ignorance of the law excuses no one". More than likely she had to sign proper use policies. It'll come down to how well her lawyers can spin it. I guarantee if she had never lost it, we would not be reading this story.
@Akboss – as the article made clear, it is not obvious that the policy was well published or the employees well trained. "knowly VIOLATED" goes way beyond the presented information.
At issue is really that irrespective of written policy the biggest security risks are your employees, whether unintentionally or the disgruntled individual that was just downsized. Failing to think those situations through is certainly a greater failing on the part of the organization than any "error" made by this employee.
On that note, it seems likely to me that the firing of this employee is and will be used to mask those errors – "We fired the 'bad' employee, so that problem is taken care of." If the employee *was* valuable, they'd certainly be better off warning her, instituting training, and fixing the underlying systemic problems.
Whenever I start a new job I always have to sign a form that says I read the rules and regulations (usually employee handbook) and that I understand them. If this policy wasn't explicitly stated in that document then she has a case for wrongful termination.
Aside from that, with the focus on PII and the protection of PII in the last decade you would think that anybody not living under a rock would understand the importance of protecting peoples identifying information. If this person, who obviously held a high level job, didn't understand these sort of basic business concepts then perhaps she is better off getting a job where she doesn't interact with sensitive data.
Just a few short months ago I was meeting with a company who had asked I bring documents with me. I work for a small company and we were having printing issues that particular day so I loaded my Word documents onto a USB stick to print at home, unfortunately Dallas traffic was really screwed up and I was running late.
I arrived at the company and signed in with the receptionist. I then asked her if she would print my documents and she gladly took my USB stick, opened the document and printed them. ??? It gets better.
The meeting is well into progress and there is paper work spread out all over the table but the person I had handed my documents to couldn't find them. We spent a good five minutes looking for them but to no avail. Once again I hand over my USB stick and he runs off to print them.
Now I'm no IT Security expert but I've worked in Tech for sometime. It seems to me that introducing outside storage devices into a companies network should be a big No No! Gawd knows what else was on my USB stick that could have compromised the company's network..
Thoughts?
Matt^^ gives us the best example, you can make all the rules you want but if someone decides to ignore them game over.
Higher/stiffer penalties may be a better deterrent but when ‘The Boss’ expects that report and puts a person(s) under pressure rules will be broken.
What this woman in the main story did was completely and knowingly against policy. Here I think is the real issue “She had difficulty uploading a file ordered by the Utah Department of Health, so she just found it easier to pop it onto a thumb drive”. She found it EASER so her laziness in not finding out how do it ‘properly’ &/or her overall laziness in not doing it the harder way led to this error.
Everyone on this planet knows privacy and security is paramount and anyone in her position would be even more aware, she deserves to lose her trusted position, hopefully this will teach her to put more effort into learning how the system provided works.
Point 2 STOP bypassing rules & regs just to make it look like you can do your job TELL your manager ‘it cannot be done that way within that time scale’. Admit there is an issue rather than break a rule.
Seems like your equation should instead be:
1 "terrific employee" – 1 thumb drive = 6,000 lost medical records + fired
My perspective on this is based on the 13 years I worked in community mental health. If that fired employee is a pharmacist, then she had to be well aware of HIPAA, even if she was ignorant of company policy. Putting protected health information on an unsecured thumb drive is just asking for a HIPAA violation to happen. This is basic common sense for anyone that works in fields that are affected by HIPAA. Guarding the privacy of your patients, clients, etc. is Healthcare Ethical Behavior 101. If you are too stupid to see that information on a thumb drive in an unsecured location poses a serious ethical (as well as security problem, you are clearly too stupid to work in fields that are affected by HIPAA. I've employed filing clerks with no more than a GED that would point this out.
Even if her employer didn't provide enough orientation to the company policies, I have no sympathy for this person whatsoever. As a healthcare professional, she should have known better, and I am willing to bet that she did indeed know better. She probably did it because it was convenient for her in her work. It's too bad that her former employer would have a hard time proving that. As far as I am concerned, she should be spending some time at a federal corrections facility for what she did.
I concur. As a health professional, my employers have told us over and over about HIPAA over the years. The latest is that fines can be levied for *each* individual violation. If I were to leave a computer screen open to view, it could be a violation costing us $10,000.
@ donna and John Vogel, I did many years at a major medical center running the IT Security Team (Hell I built many of the processes and controls), I would agree that you "should know about HIPAA", but you would be surprised the number of clinical staff that are given only the Patient care side of HIPAA concerns, and are told the "Systems" will handle the rest. Yes the employee did do wrong, and yes I personally investigated and assisted with the termination of employees for the exact same issue, but either way you slice it clinical staff in many healthcare organizations are not being given adequate ePHI training.