1 "terrific employee" + 1 thumb drive + 6,000 lost medical records = fired!

Filed Under: Data loss, Featured, Privacy

Lost USB stick, courtesy of ShutterstockA woman called a "terrific employee" by her boss was fired after downloading 6,000 medical records onto a USB drive that she then lost.

The Salt Lake Tribune reports that the woman - an account manager handling Medicaid data for residents of Utah, in the US - was shown the door after losing the portable drive earlier this month.

Jim Clair, the CEO of her now-former employer, Goold Data Systems, of Maine, said it was all pretty regrettable:

"She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account... But [the data loss] is that serious to us."

Goold Data Systems manages pharmacy claims for several states' Medicaid programs.

Contrary to company policy, the woman had downloaded a file containing names, ages and prescription information for 6,000 Utah Medicaid recipients onto a USB memory stick.

Then, earlier this month, somewhere between Salt Lake City, Denver and Washington, D.C., the woman lost the device.

Of course, companies should take such matters seriously, but they should do more than write policies that employees might be completely oblivious about.

Here's the thing: the employee probably didn't even realize that putting a file onto a thumb drive was against company policy, as CEO Clair told the Salt Lake Tribune.

She had difficulty uploading a file ordered by the Utah Department of Health, so she just found it easier to pop it onto a thumb drive, he said.

Woman with USB, courtesy of ShutterstockSo is the incident really her fault?

There are readily available technologies that prevent copying of unencrypted sensitive files (or any files at all) onto USB drives.

Having a company policy against USB drive usage, or USB drives leaving the facilities, is insufficient - perhaps even a bit on the lax side, given that it's technologically feasible to stop these things.

Clair admits that the information on the drive may never wind up being compromised. It did not, in fact, contain Social Security numbers, which would have opened up the door much wider for identity theft.

"It could be sitting in the trash somewhere and eventually destroyed," Clair said. "But it should have never happened in the first place."

He's right. It should never have happened in the first place.

And if Goold, and other businesses, did a bit of work beyond writing policy, they could ensure it doesn't.

As Sophos's Paul Ducklin said back when police were fined over a stolen, unencrypted USB drive, encrypt everything, and you never have to worry about the stuff you didn't encrypt.

Lost USB and woman with USB images courtesy of Shutterstock

, , , , , ,

You might like

11 Responses to 1 "terrific employee" + 1 thumb drive + 6,000 lost medical records = fired!

  1. Akboss · 991 days ago

    She knowingly VIOLATED policy.
    Doesnt matter how good of an employee she was if she will knowingly violate policy JUST because it is easier to do.

    Your whole story was making up excuses for this lady and then you toss in that there was more the company could do.

    So in your would if your an excellent employee you should get carte blanche when it comes to horrendous mistakes in judgement??
    Show up late everyday but your an excellent employee and it is ok?
    Dont bother showing up for work for a week but it is ok because your an outstanding employee??

    She was responsible for her getting fired, not the company.
    They wrote down what rules they expected their employees to follow and I bet they wrote down what would happen if they didnt.

    Sure the company should have locked out the USB and should have encrypted the files and should have had separate keys and on and on but it does NOT absolve the lady 1 bit.

    • Leigh Ann · 991 days ago

      Guarantee that the policy was vague and that the staff didn't receive adequate training. An expectation of knowledge is not the same as the employee receiving the policy and being trained on it. Unless the employee signed a systems policy letter and the policy is well stated and clear, the company will end up settling to resolve it. A good lawyer will walk all over this, determine that the company was responsible for not publishing and clearly stating a written policy and the company will establish legally infallible policy to address the issue. They will either have to rehire her or pay her damages, most likely damages since a precedence was set for making an employee culpable for lack of adequate procedure.

      • netd · 988 days ago

        A judge once told me, "Ignorance of the law excuses no one". More than likely she had to sign proper use policies. It'll come down to how well her lawyers can spin it. I guarantee if she had never lost it, we would not be reading this story.

  2. James · 991 days ago

    @Akboss - as the article made clear, it is not obvious that the policy was well published or the employees well trained. "knowly VIOLATED" goes way beyond the presented information.

    At issue is really that irrespective of written policy the biggest security risks are your employees, whether unintentionally or the disgruntled individual that was just downsized. Failing to think those situations through is certainly a greater failing on the part of the organization than any "error" made by this employee.

    On that note, it seems likely to me that the firing of this employee is and will be used to mask those errors - "We fired the 'bad' employee, so that problem is taken care of." If the employee *was* valuable, they'd certainly be better off warning her, instituting training, and fixing the underlying systemic problems.

  3. Scott · 991 days ago

    Whenever I start a new job I always have to sign a form that says I read the rules and regulations (usually employee handbook) and that I understand them. If this policy wasn't explicitly stated in that document then she has a case for wrongful termination.

    Aside from that, with the focus on PII and the protection of PII in the last decade you would think that anybody not living under a rock would understand the importance of protecting peoples identifying information. If this person, who obviously held a high level job, didn't understand these sort of basic business concepts then perhaps she is better off getting a job where she doesn't interact with sensitive data.

  4. Matt · 991 days ago

    Just a few short months ago I was meeting with a company who had asked I bring documents with me. I work for a small company and we were having printing issues that particular day so I loaded my Word documents onto a USB stick to print at home, unfortunately Dallas traffic was really screwed up and I was running late.

    I arrived at the company and signed in with the receptionist. I then asked her if she would print my documents and she gladly took my USB stick, opened the document and printed them. ??? It gets better.

    The meeting is well into progress and there is paper work spread out all over the table but the person I had handed my documents to couldn't find them. We spent a good five minutes looking for them but to no avail. Once again I hand over my USB stick and he runs off to print them.

    Now I'm no IT Security expert but I've worked in Tech for sometime. It seems to me that introducing outside storage devices into a companies network should be a big No No! Gawd knows what else was on my USB stick that could have compromised the company's network..


  5. Dave · 991 days ago

    Matt^^ gives us the best example, you can make all the rules you want but if someone decides to ignore them game over.

    Higher/stiffer penalties may be a better deterrent but when 'The Boss' expects that report and puts a person(s) under pressure rules will be broken.
    What this woman in the main story did was completely and knowingly against policy. Here I think is the real issue "She had difficulty uploading a file ordered by the Utah Department of Health, so she just found it easier to pop it onto a thumb drive". She found it EASER so her laziness in not finding out how do it 'properly' &/or her overall laziness in not doing it the harder way led to this error.

    Everyone on this planet knows privacy and security is paramount and anyone in her position would be even more aware, she deserves to lose her trusted position, hopefully this will teach her to put more effort into learning how the system provided works.

    Point 2 STOP bypassing rules & regs just to make it look like you can do your job TELL your manager 'it cannot be done that way within that time scale'. Admit there is an issue rather than break a rule.

  6. Jason · 991 days ago

    Seems like your equation should instead be:
    1 "terrific employee" - 1 thumb drive = 6,000 lost medical records + fired

  7. Donna · 991 days ago

    My perspective on this is based on the 13 years I worked in community mental health. If that fired employee is a pharmacist, then she had to be well aware of HIPAA, even if she was ignorant of company policy. Putting protected health information on an unsecured thumb drive is just asking for a HIPAA violation to happen. This is basic common sense for anyone that works in fields that are affected by HIPAA. Guarding the privacy of your patients, clients, etc. is Healthcare Ethical Behavior 101. If you are too stupid to see that information on a thumb drive in an unsecured location poses a serious ethical (as well as security problem, you are clearly too stupid to work in fields that are affected by HIPAA. I've employed filing clerks with no more than a GED that would point this out.

    Even if her employer didn't provide enough orientation to the company policies, I have no sympathy for this person whatsoever. As a healthcare professional, she should have known better, and I am willing to bet that she did indeed know better. She probably did it because it was convenient for her in her work. It's too bad that her former employer would have a hard time proving that. As far as I am concerned, she should be spending some time at a federal corrections facility for what she did.

    • John Vogel · 990 days ago

      I concur. As a health professional, my employers have told us over and over about HIPAA over the years. The latest is that fines can be levied for *each* individual violation. If I were to leave a computer screen open to view, it could be a violation costing us $10,000.

  8. INFOSEC · 990 days ago

    @ donna and John Vogel, I did many years at a major medical center running the IT Security Team (Hell I built many of the processes and controls), I would agree that you "should know about HIPAA", but you would be surprised the number of clinical staff that are given only the Patient care side of HIPAA concerns, and are told the "Systems" will handle the rest. Yes the employee did do wrong, and yes I personally investigated and assisted with the termination of employees for the exact same issue, but either way you slice it clinical staff in many healthcare organizations are not being given adequate ePHI training.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

I've been writing about technology, careers, science and health since 1995. I rose to the lofty heights of Executive Editor for eWEEK, popped out with the 2008 crash, joined the freelancer economy, and am still writing for my beloved peeps at places like Sophos's Naked Security, CIO Mag, ComputerWorld, PC Mag, IT Expert Voice, Software Quality Connection, Time, and the US and British editions of HP's Input/Output. I respond to cash and spicy sites, so don't be shy.