Healthcare News & Insights

Lost USB drive leads to breach of 6,000 patient records

Many healthcare providers have policies about clinicians and staff members carrying sensitive patient data around on laptops, tablets and smartphones. But here’s another mobile gadget to address in those rules: 

USB thumb drives.

Though they’re certainly convenient for transferring data from location to location, those tiny, portable and easily misplaced storage devices have also been responsible for plenty of data breaches.

Most recently, it was a breach of healthcare data caused by a lost drive.

The Utah Department of Health (UDOH) recently notified affected Medicaid recipients that their data may have been compromised after it was misplaced by a third-party contractor.

According to UDOH, an employee of the contractor, Good Health Systems (GHS), loaded personal health information about 6,000 individuals onto an unencrypted USB thumb drive while traveling between Salt Lake City, Denver and Washington, DC.

The drive didn’t contain any Social Security numbers or financial information, but was loaded with patients’ names, Medicaid identification numbers, ages and prescription drug history.

Security dangers of USB drives

UDOH and GHS aren’t alone in suffering an IT security incident because of a USB thumb drive. In a 2011 survey conducted by the Ponemon Institute, 47% of IT managers were certain and 23% believed it was likely that their company had experienced a data breach because of information contained on a missing USB drive.

The survey also found that employees regularly engage in dangerous behaviors with USB drives, and companies aren’t doing enough to stop them. Respondents admitted that their organization’s employees:

  1. Use USB drives at work without getting permission to do so (cited by 78% of respondents)
  2. Lose USB drives without notifying management (73%), and
  3. Regularly use generic USB drives, such as those given out for free at trade shows (72%).

What can providers do to prevent data breaches caused by USB drives? Having a policy against loading those devices with sensitive information isn’t enough — UDOH had a rule against doinh so, and the employees’ actions were a violation of the agency’s contract with GHS.

Security experts recommend organizations:

  • Offer encrypted drives to some people. If some staff members have a reason to use a portable drive and will likely use one no matter what the policy is, it might make sense for health IT departments to invest in secure, encrypted drives to hand out.
  • Block USB ports on some machines. In some cases, organizations will want to make sure an employee isn’t carrying data around on any portable device, whether it’s secure or not. For those situations, IT can disable USB ports on employees’ computers.
  • Disable autorun and keep antivirus software up to date. IT can prevent viruses from spreading that by keeping antivirus software up to date and making sure AutoRun is disabled on Windows machines.
  • Train users employees. One reason USB thumb drives cause problems is that the devices are so small and inexpensive, many people might be careless with them. But IT can train them to understand that while the drives may be cheap, the data contained on them may have a big price tag.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.


  1. […] also a nifty thing to have on hand, so combining the two seems like an innovative idea. It is. But what if you lose it? What if someone likes it so much that that snatch it? Many data breaches are caused by lost or […]