The University of Massachusetts Amherst has agreed to pay $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act.
The penalty is lower than it might have been and the $650,000 settlement reflects the fact that the university operated at a financial loss in 2015, according to a statement from the Office for Civil Rights, which oversees HIPAA enforcement.
The breach occurred on June 18, 2013, when a workstation in the university’s Center for Language, Speech, and Hearing was infected with a malware program. This resulted in the impermissible disclosure of electronic protected health information of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
In this case, the malware was a generic remote access Trojan that infiltrated the system, the university determined. It provided impermissible access to ePHI, because UMass did not have a firewall in place.
In addition to the monetary settlement, UMass has agreed to a corrective action plan that requires it to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.
Because UMass failed to designate the center a healthcare component, the university did not implement policies and procedures at the center to ensure compliance with the HIPAA Privacy and Security Rules.
UMass failed to implement technical security measures at the center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place.
Moreover, UMass did not conduct an accurate and thorough risk analysis until September 2015.
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” OCR Director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
Malware, HIPAA and data breaches will be among the topics experts address at the Privacy & Security Forum in Boston, Dec. 5-7, 2016.
⇒ Privacy & Security Forum Boston: What to expect
⇒ How to beat back hackers and savvy cybercriminals? Delve into the dark web
⇒ A CISO, consultant, and infosec vendor nail down cybersecurity best practices
⇒ Gone' phishin': Mayo Clinic shares tips for fending off attacks
⇒ Complete coverage of the HIMSS and Healthcare IT News Privacy & Security Forum
