There is never a reason that an employee of a medical facility would ever need to take a patients records out of that facility. If records are being transferred to another care provider, there are already procedures in place for that.
No, there is simply no excuse for this information to ever be on a thumb drive, or for that matter, anyone's computer. It should be on a centralized storage server, and access should only be through secured remote terminals or terminal software (i.e. secured SQL server with Access front end, and only accessible on-site).
The amount of personal information that gets lost on laptops, thumb drives, etc.. is just disgusting.