News & Events

HealthLeaders Media: HIPAA Auditor Involved in Own Data Breach

HIPAA Auditor Involved in Own Data Breach

Dom Nicastro, for HealthLeaders Media, August 8, 2011

The company hired by the Office for Civil Rights (OCR) to conduct nationwide HIPAA privacy and security compliance audits was responsible for a breach that includes the loss of an unencrypted flash drive and affects more than 4,500 patient records.

OCR’s request for audit proposals came in February 2011, about eight months after KPMG, LLP, reported its breach to the New Jersey healthcare system.

KPMG, which won OCR’s $9.2 million contract for HITECH-required HIPAA audits in June 2011, told the Saint Barnabas Health Care System of West Orange, NJ, in June 2010 that a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care, Saint Barnabas reported on its website

The potential breach affected individuals at two facilities—3,630 patients at Saint Barnabas Medical Center in Livingston, NJ, and 956 patients at Newark Beth Israel Medical Center in Newark, NJ—according to a report on the OCR breach notification website. The website lists entities reporting breaches affecting 500 or more individuals, a HITECH requirement that went live in February 2010.

The flash drive did not include patient addresses, Social Security numbers, personal identification numbers, dates of birth, financial information, or other identifiable information, according to the report on the Saint Barnabas website.

KPMG reported the matter to the New Jersey healthcare system June 29, 2010. KPMG believes the flash drive was misplaced on or about May 10, 2010, according to Saint Barnabas.

“KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,” according to the healthcare system’s report. “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person. … KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.” 

Reached August 5 via e-mail, Pete Settles of KPMG external communications confirmed the incident with Saint Barnabas but said that “for reasons of confidentiality, we do not comment on client work.”

Susan McAndrew, deputy director of health information privacy for OCR, wrote in an e-mail that “OCR cannot address KPMG’s involvement with the breach at St. Barnabas as this case is currently under investigation.”

Ellen Greene, vice president of public relations and marketing for the Saint Barnabas Health Care System, said the organization had no comment.

News broke last month that OCR hired KPMG, LLP to implement its HITECH-required HIPAA compliance auditing plan.

KPMG is assisting the government to implement the statutory requirement to audit covered entity and business associate compliance with the HIPAA privacy and security standards as amended by HITECH.

KPMG will end up auditing 150 entities varying in size by December 31, 2012. HITECH requires “periodic audits” of covered entities and business associates to ensure HIPAA compliance.

Asked if OCR considered the KPMG involvement on this 2010 breach at any level when considering it for the HIPAA audit contract, McAndrew only said, “the award of the HIPAA audit contract was the result of HHS’ usual, rigorous, competitive process. Specific questions regarding the contract award are procurement sensitive.” 

The process to hire KPMG involved a Department of Health and Human Services (HHS) panel that reviewed and ranked all technical proposals and qualifications by “predetermined evaluation criteria,” McAndrew said.

“Evaluation criteria in the solicitation included responsiveness to the audit design requirements in the HHS statement of work, as well as past performance on other compliance audit programs,” McAndrew said. “Negotiations were conducted, and an offer was made.”

KPMG LLP is an audit, tax, and advisory firm and is the United States member firm of KPMG International, according to its website. KPMG International’s member firms have 137,000 professionals, including more than 7,600 partners, in 144 countries.

Dom Nicastro is a senior managing editor at HCPro, Inc. in Danvers, MA. He edits the Briefings on HIPAA newsletter and manages the HIPAA Update Blog. E-mail him at


John Moehrke (8/9/2011 at 1:54 PM)

What on earth was the reason that the HIPAA Auditor gave for why they needed copies of patient records? I can’t imagine any HIPAA regulation item that would need to be audited by taking a copy of patient records. This sounds like a rogue auditor, or a badly broken process.