An accounting firm used by the Saint Barnabas Health Care System and its affiliated hospitals in New Jersey has reportedly lost an unencrypted flash drive that may have contained some patients’ names as well as information about their health care.
In a notice on their web site, the hospital states that the flash drive lost by the KPMG LLP employee on or about May 10 did not contain patient addresses, social security numbers, personal identification numbers, date of birth, financial information or other identifiable information. The hospital said that it received a written report on the loss on June 29, but does not indicate when they first learned of the loss.
The Saint Barnabas Health Care System announced that it is sending letters to patients whose information may have been included on the flash drive and for whom they have addresses.
HHS was notified of the breach on September 10, more than 60 days after St. Barnabas was notified by KPMG, and four months after the loss itself. In their notification to HHS, the system indicated that 3,630 patients had PHI on the lost device.
Newark Beth Israel Medical Center, which is part of the St. Barnabas system, also notified HHS of this incident. Their report indicated that 956 patients were involved.
MIAOULIS NOTE: The business associate had the breach (KPMG), yet as required by HITECH it is the Hospital that notified the patients.