The Breach Blog: Lost KPMG flash drive affects 3,600+ patients

The Breach Blog, from FRSecure

Lost KPMG flash drive affects 3,600+ patients

Date Reported:

9/13/10

Organization:
Saint Barnabas Health Care System

Contractor/Consultant/Branch:
Newark Beth Israel Medical Center
KPMG LLP

Location:
Undisclosed

Victims:
Patients

Number Affected:
3,630

Types of Data:
"patient names and information about their care"

Breach Description:
"KPMG LLP (“KPMG”), an independent accounting firm that provides professional services to the Saint Barnabas Health Care System and its affiliated hospitals, has informed us that a KPMG employee lost an unencrypted flash drive."

Reference URL:
Saint Barnabas Health Care System news release
PHIPrivacy.net (Dissent)

Report Credit:
Dissent, PHIPrivacy.net

Response:
From the online sources cited above:

KPMG LLP (“KPMG”), an independent accounting firm that provides professional services to the Saint Barnabas Health Care System and its affiliated hospitals, has informed us that a KPMG employee lost an unencrypted flash drive.
[Evan] Really?! KPMG employees should know better!

This drive may have contained a list with some patient names and information about their care.

The flash drive did not include patient addresses, social security numbers, personal identification numbers, date of birth, financial information or other identifiable information.
[Evan] I am more concerned about the loss of health care information than I am about financial information.

KPMG believes that the flash drive was misplaced on or about May 10, 2010.

After KPMG finished its investigation, the System received a written report about this matter on June 29, 2010.
[Evan] Was "the System" made aware of the breach prior to receiving KPMG's written report (50 days after the incident)? Let's hope so. If we had a vendor that waited 50 days to inform us of an incident that affected our clients, we would be ticked!

KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost.
[Evan] Yeah, I suppose anything is possible ;)

KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.
[Evan] This is nothing more than the standard statement made by many organizations reporting breaches. It is meant to minimize the situation. What do you think most people do with flash drives that they find laying around? (They pick them up and connect them to their computers to see what's on them.)

The Saint Barnabas Health Care System has been following-up with KPMG regarding this incident.

KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.
[Evan] You would have expected that a respectable company such as KPMG would have already addressed this issue (prior to a breach). Breaches like this are not breaking news.

We are sending letters to those patients whose information may have been included on the flash drive and for whom we have addresses.
[Evan] When? How many days go by before the owner of the information (patient) is informed?

Although no patient financial information was included, if a patient becomes aware of any suspicious activity, he/she should report it immediately to his/her financial institution and/or the authorities.

If a patient has any questions regarding this incident, please call us at (phone lines staffed Monday through Friday, 9:00 a.m. to 5 p.m.) or email us at .

In their notification to HHS, the system indicated that 3,630 patients had PHI on the lost device.
[Evan] Nice piece of reporting by Dissent.

Newark Beth Israel Medical Center, which is part of the St. Barnabas system, also notified HHS of this incident. Their report indicated that 956 patients were involved.

Commentary:
I would have expected much better from a company like KPMG. Disappointing.

Past Breaches:
Unknown

Posted by Evan Francen at 9/22/2010 3:54 PM