HIPAA Auditor Responsible for Breach in 2010
In June of 2010, a large healthcare system was informed by its business associate that a breach had occurred, affecting thousands of patients at its hospital. The breach had occurred the previous month when an employee of the business associate lost an unencrypted flash drive that may have contained patient information. Although the breach was reported last year, news regarding the breach appears to have begun circulating this past week, most likely due to the new role of the business associate in question.
The real kicker is that the business associate was none other than KPMG, the prominent auditing, advisory and tax company that was recently awarded $9.2M by the Office for Civil Rights (OCR) to conduct HIPAA privacy and security compliance audits. Although the flash drive reportedly did not contain patient information such as social security numbers, addresses, personal identification numbers, dates of birth or financial information, the embarrassing fact remains that a KPMG employee used an unencrypted flash drive to carry around patient information.
Not only was I surprised at KPMG’s responsibility for the breach, but also the length of time that went between the discovery of the loss of the flash drive by KPMG (May 10, 2010) and the report that was sent to the covered entity regarding the loss (June 29, 2010). Although KPMG just barely notified its customer within the HITECH sixty day notice requirement, one has to wonder why it took so long for KPMG to discover that the device was missing and/or report it.
Although I am also curious as to why a KPMG employee would need to carry around patient information on a flash drive to begin with (especially an unencrypted one), this shows that a breach can happen to the best of us. It also highlights a big problem for hospitals and other health care providers when it comes to security of patient information. All too often residents, nurses and other health care providers copy patient information onto flash drives, laptops or other unencrypted devices which are easily lost or stolen. These risks must be identified and aggressively managed by health care organizations and their business associates to minimize the risk of breach to such organizations and the patients they serve.
HealthLeadersMedia reports that Susan McAndrew, OCR deputy director for health information privacy, wrote in an email that the case was currently under investigation and as such, OCR could not address KPMG’s involvement in the breach. When asked whether KPMG’s involvement in the breach had been considered prior to awarding it the HIPAA audit contract, McAndrew stated,
The award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.
The public notice made available by the hospital on its website stated that,
KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.
Improved encryption? The flash drive that went missing reportedly did not have any encryption mechanisms. One would hope though that KPMG has followed through and improved its security measures, given that it is now an ONC HIPAA auditor with the potential to access patient PHI and other information in the course of its auditing activities.
