e-mail Print Share

UMass settles potential HIPAA violations

December 01, 2016 The University of Massachusetts Amherst has agreed to pay the federal government $650,000 to settle potential violations to the Health Insurance Portability and Accountability Act after malware reportedly found on an electronic workstation exposed the protected health information of 1,670 people.

On June 18, 2013, UMass reported to the Office for Civil Rights, under the U.S. Department of Health and Human Services, that a workstation in the Center for Language, Speech and Hearing was infected with a malware program, which resulted in the disclosure of electronic protected health information, including names, address, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes, according to a news release. The university determined that the malware was able to infiltrate their system because there was no firewall in place.

The government's investigation found that UMass failed to implement technical security measures at the center to guard against unauthorized access to electronic protected health information transmitted over an electronic communications network by ensuring firewalls were in place. The university also failed to conduct an accurate and thorough risk analysis until September 2015.

In addition to the monetary settlement, which the government indicated was reflective of the fact that the university operated at a financial loss in 2015, UMass agreed to a corrective action plan that requires them to conduct a risk analysis, develop and implement a risk management plan; and revise and train staff on its policies and procedures.

To learn more about HIPAA compliance, visit hhs.gov/hipaa.