More on Quality and Safety

UMass Amherst will pay $650,000 over HIPAA violations stemming from data breach

HHS Office for Civil Rights said lack of firewall to blame; breach exposed private information of more than 1,600 people

Beth Jones Sanborn, Managing Editor

Image via Google EarthImage via Google Earth

The University of Massachusetts Amherst will pay $650,000 to settle potential HIPAA violations which arose from a data breach in 2013. The settlement also includes a corrective action plan, the HHS Office for Civil Rights announced Tuesday.  

According to the OCR, UMass reported that a workstation in its Center for Language, Speech, and Hearing was infected with a malware program on June 18, 2013. The infection caused the disclosure of electronic protected health information for 1,670 people, which included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

The university was able to determine that the malware was a "generic remote access Trojan" that penetrated their system thanks to a lack of firewall, something the OCR said should have been in place.

[Also: HHS Office for Civil Rights releases ransomware guidance]

Specifically, the OCR found that UMass had failed to designate all of its healthcare components when hybridizing, and because UMass failed to designate the center a healthcare component, the university did not implement policies and procedures at the center to ensure HIPAA compliance.

Also, UMass failed to conduct an "accurate and thorough risk analysis" until September 2015.

"HIPAA's security requirements are an important tool for protecting both patient data and business operations against threats such as malware," said OCR Director Jocelyn Samuels. "Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA's privacy and security requirements."

UMass has agreed to a corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures; and train its staff, the OCR said.

Twitter: @BethJSanborn