Flash Drive Lost by KPMG Employee Potentially Exposes 3,630 Patient Health Records

An employee of one of the big four accountancy firms, KPMG LLP, is reported to have lost a flash drive containing the protected healthcare data of 3,630 patients.

A flash drive was lost on or around May 10, 2010 and contained unencrypted data including the names of patients and a limited amount of healthcare information. No addresses, dates of birth, Social Security numbers, financial information, personal identification numbers or other identifiable information were stored on the drive and the risk of identity theft or medical fraud is considered to be low.

KPMG’s accountancy services are used by a number of hospitals affiliated to the Saint Barnabas Health Care System including Newark Beth Israel Medical Center. The data of 956 of its patients were stored on the drive according to the breach notification it issued to the Department of Health and Human Services.

Data breach notification rules require healthcare providers to issue breach notifications to patients, even if the breach is caused by a Business Associate. The Saint Barnabas Health Care System will therefore be dispatching notification letters to all affected individuals to advise them of the breach. It is currently unclear whether the incident constitutes a violation of the Health Insurance Portability and Accountability Act.

Healthcare providers are required to issue breach notifications without unnecessary delay and within 60 days of the discovery of a data security breach. The Department of Health and Human Services received a breach notification from the Saint Barnabas Health Care System on Sept 10; however KPMG issued a written notification of the data breach to Saint Barnabas on June 29;, four months previously. It is unclear at this point in time why the announcements about the lost flash drive were delayed.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.