HIPAA Violations Cost UMass $650K

by | Nov 25, 2016

The University of Massachusetts Amherst (UMass) has agreed to a $650,000 settlement with The Department of Health and Human Services’ Office for Civil Rights (OCR) . The settlement resolves HIPAA breaches that contributed to the university suffering a malware infection in 2013.

In early 2013, malware infected a computer in the Center for Language, Speech, and Hearing. The infection led to the impermissible disclosure of the electronic protected health information of 1,670 people. Those people had their names, addresses, social security numbers, birth dates, health insurance information, diagnoses, and procedure codes disclosed to the people behind the malware attack.

Once they discovered the malware infection in 2013, UMass carried out a detailed analysis of the infected computer. The malware was a generic remote access Trojan and infection happened because the computer was not protected by a firewall. UMass deduced that access to ePHI had been gained.

OCR reviews all data violations that impact more than 500 people to determine whether breached entities have complied with the HIPAA Privacy, Security, and Breach Notification Rules and whether violations have occurred as a result of HIPAA violations. According to the resolution agreement, OCR was made aware of the breach by UMass on June 4, 2013 and a review was began on August 27, 2013.

OCR investigators found a number of areas of non-compliance with HIPAA Rules that led to the UMass data violation.

As it is a hybrid body, UMass is only obligated to adhere with HIPAA Rules for some of its components – those that meet the definition of a covered body or business associate under HIPAA definitions. UMass had put in place appropriate measures to protect the confidentiality, integrity, and availability of ePHI for its University Health Services component; but those same security controls were not used for the Center for Language, Speech, and Hearing as UMass did not designate it as a healthcare component.

The OCR said, “To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components.”

This mistake meant that UMass did not complete a HIPAA-compliant risk analysis at the Center. A risk analysis was eventually completed, but not until September 2015. UMass also did not implement technical security controls to protect the Center’s network and prevent ePHI being accessed.

The HIPAA violations could have lead to a much higher financial penalty but OCR took the University’s finances into account. OCR, commenting on the settlement, said that this “is reflective of the fact that the University operated at a financial loss in 2015.”

OCR Director Jocelyn Samuels revealed the settlement for the breaches and explained that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware. Samuels added “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

UMass agreed to the settlement without accepting liability. UMass will pay a $650,000 penalty and will put in place a corrective action plan (CAP) to ensure policies and procedures are in line with the minimum standards neccessary under the Health Insurance Portability and Accountability Act.

The CAP requires UMass to complete a thorough risk analysis of all equipment, systems and applications that are used to access or store ePHI to ensure all dangers to the confidentiality, integrity, and availability of ePHI are found.

An enterprise-wide risk management plan must also be developed to address all dangers to ePHI that are found by the risk analysis. A full review of policies and procedures must also be carried out to ensure they comply with Federal standards, and all staff members must be given training on those policies and procedures after they have been approved by OCR.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy