Malware Infection Leads to HIPAA Settlement for UMass

A recent news release announced that the University of Massachusetts Amherst agreed to a settlement for potential violations of the Health Insurance Portability and Accountability Act. (HIPAA)

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) launched an investigation after it was reported that on June 18, 2013, a workstation in the UMass Center for Language, Speech, and Hearing was infected with malware. The malware allowed for unauthorized access to electronic protected health information (ePHI) of 1,670 people. This included names, addresses, social security numbers, health insurance information, diagnoses and procedure codes.

According to OCR, UMass operates as a HIPAA hybrid entity, meaning it performs both covered and non-covered functions. As such, the University is required to determine which of its components are considered covered health care components, and those that are designated must comply with the HIPAA Privacy and Security Rules. OCR alleged that UMass made a mistake when it did not designate the Center for Language, Speech and Hearing as a covered health care component, and therefore did not have the proper policies and procedures in place for protecting ePHI.

The investigation also found that UMass did not perform a proper risk analysis until September 2015 and did not establish technical security measures at the Center to protect ePHI. The system did not have a firewall in place.

As a result of these allegations, UMass settled for a $650,000 payment, an amount that was reduced due to the University’s financial situation. The University is also required to carry out a corrective action plan to ensure similar events do not occur in the future and provide HIPAA training to staff.