The University of Massachusetts Amherst (UMass) has agreed to a $650,000 settlement with The Department of Health and Human Services’ Office for Civil Rights (OCR) . The settlement resolves HIPAA breaches that contributed to the university suffering a malware infection in 2013.
In early 2013, malware infected a computer in the Center for Language, Speech, and Hearing. The infection led to the impermissible disclosure of the electronic protected health information of 1,670 people. Those people had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the people behind the malware attack.
Once they discovered the malware infection in 2013, UMass carried out a detailed analysis of the infected computer. The malware was a generic remote access Trojan and infection happened because the computer was not protected by a firewall. UMass deduced that access to ePHI had been gained.
OCR reviews all data violations that impact more than 500 people to determine whether breached entities have complied with the HIPAA Privacy, Security, and Breach Notification Rules and whether violations have occurred as a result of HIPAA violations. According to the resolution agreement, OCR was made aware of the breach by UMass on June 4, 2013 and a review was began on August 27, 2013.
OCR investigators found a number of areas of non-compliance with HIPAA Rules that led to the UMass data violation.
As it is a hybrid body, UMass is only obligated to adhere with HIPAA Rules for some of its components – those that meet the definition of a covered body or business associate under HIPAA definitions. UMass had put in place appropriate measures to protect the confidentiality, integrity, and availability of ePHI for its University Health Services component; but those same security controls were not used for the Center for Language, Speech, and Hearing as UMass did not designate it as a healthcare component.
The OCR said, “To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”
This mistake meant that UMass did not complete a HIPAA-compliant risk analysis at the Center. A risk analysis was eventually completed, but not until September 2015. UMass also did not implement technical security controls to protect the Center’s network and prevent ePHI being accessed.
The HIPAA violations could have lead to a much higher financial penalty but OCR took the University’s finances into account. OCR, commenting on the settlement, said that this “is reflective of the fact that the University operated at a financial loss in 2015.”
OCR Director Jocelyn Samuels revealed the settlement for the breaches and explained that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware”. Samuels added “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”
UMass agreed to the settlement without accepting liability. UMass will pay a $650,000 penalty and will put in place a corrective action plan (CAP) to ensure policies and procedures are in line with the minimum standards neccessary under the Health Insurance Portability and Accountability Act.
The CAP requires UMass to complete a thorough risk analysis of all equipment, systems and applications that are used to access or store ePHI to ensure all dangers to the confidentiality, integrity, and availability of ePHI are found.
An enterprise-wide risk management plan must also be developed to address all dangers to ePHI that are found by the risk analysis. A full review of policies and procedures must also be carried out to ensure they comply with Federal standards, and all staff members must be given training on those policies and procedures after they have been approved by OCR.