“The University of Massachusetts Amherst (UMass) has agreed to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules stemming from a malware infection back in 2013.
The settlement includes a corrective action plan and a monetary payment of $650,000, which is reflective of the fact that the University operated at a financial loss in 2015, according to a press release from the U.S. Department of Health and Human Services, Office for Civil Rights (OCR).
On June 18, 2013, UMass reported to the OCR that a workstation in its Center for Language, Speech, and Hearing was infected with a malware program, which resulted in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The university determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place, according to the OCR press release.”
Author: Heather Landi