OCR’s contractor, KPMG, breached the privacy of 4,500 patient records when an employee lost an unencrypted flash drive.
You can read the full story at Health Leaders Media, “HIPAA Auditor Involved in Own Data Breach.”
KPMG absolved itself of doing any harm:
- “KPMG believes that it is possible that the patient data was deleted from the flash drive prior to the time when it was lost,”
- “KPMG has also concluded that there is no reason to believe that the information on the flash drive was actually accessed by any unauthorized person.”
Then KPMG prescribed its own remedy:
- “KPMG has told us the company is implementing measures to avoid similar incidents in the future, including additional training and the use of improved encryption for its flash drives.”
Why didn’t OCR investigate and penalize KPMG? Instead, OCR doubled down and awarded KPMG a $9.2 million contract for HITECH-required HIPAA audits.
This does little to inspire consumer confidence in OCR, which has a long history of not penalizing industry for data security breaches.
Time for Congressional oversight?