A woman called a “terrific employee” by her boss was fired after downloading 6,000 medical records onto a USB drive that she then lost.
The Salt Lake Tribune reports that the woman – an account manager handling Medicaid data for residents of Utah, in the US – was shown the door after losing the portable drive earlier this month.
Jim Clair, the CEO of her now-former employer, Goold Data Systems, of Maine, said it was all pretty regrettable:
"She was a terrific employee who made a mistake, a pharmacist who oversees the entire Utah account... But [the data loss] is that serious to us."
Goold Data Systems manages pharmacy claims for several states’ Medicaid programs.
Contrary to company policy, the woman had downloaded a file containing names, ages and prescription information for 6,000 Utah Medicaid recipients onto a USB memory stick.
Then, earlier this month, somewhere between Salt Lake City, Denver and Washington, D.C., the woman lost the device.
Of course, companies should take such matters seriously, but they should do more than write policies that employees might be completely oblivious about.
Here’s the thing: the employee probably didn’t even realize that putting a file onto a thumb drive was against company policy, as CEO Clair told the Salt Lake Tribune.
She had difficulty uploading a file ordered by the Utah Department of Health, so she just found it easier to pop it onto a thumb drive, he said.
So is the incident really her fault?
There are readily available technologies that prevent copying of unencrypted sensitive files (or any files at all) onto USB drives.
Having a company policy against USB drive usage, or USB drives leaving the facilities, is insufficient – perhaps even a bit on the lax side, given that it’s technologically feasible to stop these things.
Clair admits that the information on the drive may never wind up being compromised. It did not, in fact, contain Social Security numbers, which would have opened up the door much wider for identity theft.
“It could be sitting in the trash somewhere and eventually destroyed,” Clair said. “But it should have never happened in the first place.”
He’s right. It should never have happened in the first place.
And if Goold, and other businesses, did a bit of work beyond writing policy, they could ensure it doesn’t.
As Sophos’s Paul Ducklin said back when police were fined over a stolen, unencrypted USB drive, encrypt everything, and you never have to worry about the stuff you didn’t encrypt.