In a very embarrassing and ironic turn of events, KPMG announced that they had a data breach that involved 4,500 patient records. KPMG has been selected by The Office of Civil Rights (OCR) to perform HIPAA compliance audits. So it appears that the company that will do HIPAA audits has experienced a HIPAA related data breach. The breach occurred when an unencrypted USB drive was misplaced.
I am sure this news if very embarrassing to both KPMG as well as OCR. But I think this story highlights the fact that a data breach and HIPAA violation can happen to any organization. And what it really highlights is that USB drives are liabilities waiting to happen. I have been advocating that everyone should fear and destroy USB drives. Well at least destroy unencrypted USB drives and only purchase encrypted USB drives.
The impact of a data breach can have serious implications to an organization’s reputation, credibility and financial health. With upcoming HIPAA audits and a growing list of HIPAA violations, now is the time for organizations to conduct a risk assessment to determine what additional measures should be used to protect patient data.