There have been a couple of instances where malware infected USB drives have been given away unknowingly as promotional items at conferences, e.g., IBM in 2010.
Besides this, if a healthcare company were to give away "branded" USB drives, what other risks might be involved with such giveaways?
Further, if the recipient of the drive downloads their personal medical information to the drive, and it gets lost, can the healthcare provider be implicated?
The risk to the recipient is that there could be anything on there. The biggest risk to you is probably reputational damage, as you are just providing empty USB sticks, not delivering them with sensitive information on. I would be surprised if they could hold you liable for loss of their data - I don't know of any cases thus far where this has happened (however I am not a lawyer, not do I play one on TV)
Mitigation options:
As the person who gives the USB keys, your risk is about reputation and possibly legal retaliation; see @Rory's answer.
For who receives the key, risks are higher, in particular because what looks like a conventional USB key may declare itself, at the USB level, to be a keyboard, and begin to automatically "type" things wildly. It has been demonstrated. Even if the key is really a storage device with a filesystem, a suitably altered filesystem might try to exploit a bug in the operating system code (filesystem implementations are known to be complex and a bit fragile in that respect). And there is the whole "autorun" business (see this answer for some details).
USB flash drives are an extraordinarily bad promotional item. Because of the frequent malware, most companies now have rules forbidding employees from accepting them, or to destroy them if they already have.
Remember that malware comes in many forms on such drives. The latest to appear is where hackers reprogram the firmware on the devices, such that they appear not only as a USB flash drive, but also a keyboard. At random times, they insert special key strokes to launch commands, such as opening a URL to download malware from a website.
The only risk to the recipient is that the promotional USB drives you distribute contain malware. This may sound unlikely but it does happen.
It is very unlikely you will be held responsible for someone using the disk to store personal data and loosing it.
There are other risks that the official looking disk could be mis-used (possibly for an attack on the company) but these are minimal.
I don’t think there is any risk. You didn’t ask them to store patient data on this device.
Unless you gave them USB device that aims to store data safely (encrypted) and the encryption wasn’t good; then they can claim that they count on device protection, but even in this case the USB manufacture will be responsible, not you.
But doesn’t matter what we say they can be upset with you and your company if something like that happened. You can’t control people’s feelings.
