Physicians
e-Newsletter
Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

HIPAA Auditor Involved in Own Data Breach

Dom Nicastro, for HealthLeaders Media, August 8, 2011

The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.

OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website

The potential breach affected individuals at two facilities3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

The flash drive did not include patient addresses, Social Security numbers, personal identification numbers, dates of birth, financial information, or other identifiable information, according to the report on the Saint Barnabas website.

KPMG reported the matter to the New Jersey healthcare system June 29, 2010. KPMG believes the flash drive was misplaced on or about May 10, 2010, according to Saint Barnabas.

1 | 2 | 3

Comments are moderated. Please be patient.

3 comments on "HIPAA Auditor Involved in Own Data Breach"


Richard Fowler (8/17/2011 at 9:04 AM)
In response to John's comment - You may have heard an auditor say "trust but verify" when asking to see proof of a transaction or process. The same is true of the auditors themselves [INVALID] they need to show that their testing or attestations were performed, and so there needs to be some record of what was reviewed, what the tests and samples were, and what their analysis revealed. That being said, KPMG should have known not to store data on an unencrypted flash drive. And it's a huge security risk that the computers enabled a download to a flash drive in the first place [INVALID] I wonder if KPMG will note that in their audit opinion.

Deborah C Peel. MD (8/10/2011 at 5:37 PM)
OCR's contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive. First KPMG absolved itself of doing any harm: ? "KPMG believes that it is possible that the patient data was [INVALID]d from the flash drive prior to the time when it was lost," ? "KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person." Then KPMG prescribed its own remedy: ? "KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives." Why didn't OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits. This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches. Time for Congressional oversight?

John Moehrke (8/9/2011 at 1:54 PM)
What on earth was the reason that the HIPAA Auditor gave for why they needed copies of patient records? I can't imagine any HIPAA regulation item that would need to be audited by taking a copy of patient records. This sounds like a rogue auditor, or a badly broken process.