Regions informed employees about the missing data in a Jan. 23 letter, according to a report by the Birmingham News.
According to the letter, an Ernst & Young office mailed a package containing the flash drive, which had information on the employees' 401k retirement plans, to another office. The information, which included names and social security numbers, was encrypted, but the office sent the decryption code in the same envelope, according to the newspaper.
When the package arrived in the second Ernst & Young office, the flash drive was missing, although the decryption code was still in the envelope.
Regions did not say how many 401k participants were listed in files on the flash drive. The company employs about 27,000 people in 16 states, including about 6,000 in Birmingham, making it the city's largest private employer, the newspaper noted.
"Ernst & Young takes the security and privacy of personal information very seriously, as does Regions, and we deeply regret that this incident occurred," according to a letter sent by Ernst & Young to Regions' employees. "Ernst & Young is taking steps to prevent this issue from reoccurring, including providing additional training to the Ernst & Young team that works with Regions regarding the proper handling of confidential information."
That additional training, one would hope, will include instructions not to include the decryption code in the same envelope as encrypted information.