Intelligence Unit Special Reports Special Events Subscribe Sponsored Departments Follow Us

Twitter Facebook LinkedIn RSS

HIPAA Auditor Involved in Own Data Breach



A firm that won a $9.2 million federal contract to conduct privacy and security compliance audits lost a flash drive containing patient information while working with a healthcare system in 2010.



3 comments on "HIPAA Auditor Involved in Own Data Breach"
Richard Fowler (8/17/2011 at 9:04 AM)

In response to John's comment - You may have heard an auditor say "trust but verify" when asking to see proof of a transaction or process. The same is true of the auditors themselves [INVALID] they need to show that their testing or attestations were performed, and so there needs to be some record of what was reviewed, what the tests and samples were, and what their analysis revealed. That being said, KPMG should have known not to store data on an unencrypted flash drive. And it's a huge security risk that the computers enabled a download to a flash drive in the first place [INVALID] I wonder if KPMG will note that in their audit opinion.
Deborah C Peel. MD (8/10/2011 at 5:37 PM)

OCR's contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive. First KPMG absolved itself of doing any harm: ? "KPMG believes that it is possible that the patient data was [INVALID]d from the flash drive prior to the time when it was lost," ? "KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person." Then KPMG prescribed its own remedy: ? "KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives." Why didn't OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits. This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches. Time for Congressional oversight?
John Moehrke (8/9/2011 at 1:54 PM)

What on earth was the reason that the HIPAA Auditor gave for why they needed copies of patient records? I can't imagine any HIPAA regulation item that would need to be audited by taking a copy of patient records. This sounds like a rogue auditor, or a badly broken process.