Since the Office for Civil Rights (OCR) began publishing information on health care data breaches affecting 500 or more individuals on its website, 300 breaches have been reported. Two of those data breaches were reported by KPMG, LLP, as a business associate to the New Jersey health care system.
The breach occurred in June 2010, when a KPMG employee lost an unencrypted flash drive that may have contained a list with some patient names and information about their care. Eight months later, KPMG was chosen by OCR to develop a HIPAA auditing protocol and conduct audits on 150 covered entities and business associates before Dec. 31, 2012.
Considering encryption is one of the most important tools in avoiding a health care data breach, it’s surprising that a HIPAA auditor would be using an unencrypted device, even if KPMG was not an auditor at the time of the breach. KPMG said it would implement improved security measures to avoid future breaches. Hopefully those improved security measures include the use of encrypted flash drives.
Most health care organizations are becoming keenly aware of the need to keep mobile devices secure. SearchHealthIT’s recent security and privacy report shows that encryption and mobile device security ranked highest among the technologies that health IT professionals plan to purchase in the next year to help their organization achieve HIPAA compliance. Survey respondents also reported that the weakest link in hospital patient data security is staff who leave laptops or records in open areas.