All of you reading this know I hate USB drives. I despise them. They are dead to me and you can’t talk me into allowing any company to use them unless they are controlled by IT and are encrypted at all times.
This story proves my point. Complete Wellness recently notified over 600 patients, who were treated for behavioral health and substance use disorders at a Complete Wellness facility, that their sensitive information was downloaded onto an unencrypted flash drive by an employee, who took it off premises and proceeded to lose it. The employee was not authorized to do this. This makes me crazy.
But wait. There’s more. The data the employee downloaded onto the flash drive without authorization included: patients’ names, phone numbers. home addresses, email addresses, Social Security numbers, ages and dates of birth, languages spoken, ethnicity, race, marital status, names of their primary care physicians, emergency contact information, level of education, employer information, hurricane victim status, living situation, arrest history, military service information, and whether individuals had any hearing or vision difficulties.
Why on earth did the employee need all of that highly sensitive data on a flash drive? I don’t know the answer, but it illustrates how employees can do things that do not qualify as rocket science, and put the organization at huge risk.
I hope someday there are no flash drive stories to tell. But as long as technology allows employees to download information onto flash drives, there is no question that this will not be the last one told.
USB drives continue to be one of the top risks on the list of data loss. Prioritize managing that risk and commit to prohibiting them in your organization without proper controls in place. Don’t be a story to illustrate all of the careless mistakes made by employees.