The University of Massachusetts Amherst (UMass) has settled violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules for $650,000 and a corrective action plan.
On June 18, 2013, UMass reported to the Department of Health and Human Services Office for Civil Rights (OCR) that a work station in its Center for Language, Speech, and Hearing had been infected with malware. This infection compromised 1,670 individuals’ electronic protected health information (ePHI), including names, addresses, Social Security numbers, birthdates, health insurance information, and diagnoses. The malware penetrated the system because UMass did not have a firewall in place at the time.
The subsequent OCR investigation found the following HIPAA violations:
- UMass had failed to designate all of its health care components, incorrectly determining that the center where the breach occurred was not a covered health care component. Therefore, the center did not have the same policies and procedures to ensure HIPAA compliance as the covered health care components did.
- UMass had failed to implement technical security measures in the center to guard against unauthorized access.
- UMass did not conduct a risk analysis of the situation, which occurred in June 2013, until September 2015.
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” said Jocelyn Samuels, director of OCR. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
UMass has agreed to pay $650,000 and conduct a systemwide risk analysis, develop a risk management plan, revise policies and procedures, and train the staff on these new policies. This corrective action plan can be found on the OCR website.