UMass to Pay $650K HIPAA Breach Penalty After Trojan Malware Hack November 2016
Federal authorities hinted the monetary portion of the settlement might have been higher but the government took into account that the public university lost money in 2015.
University of Massachusetts at Amherst (UMass) has agreed to pay $650,000 to settle a case alleging it failed to properly identify all of its component organizations that would handle electronic protected health information (ePHI) and one of those groups was later hacked, compromising the records of 1,670 people.
Investigators with the U.S. Department of Health and Human Services Office of Civil Rights (OCR) launched a probe on June 4, 2013, after receiving a repot that a workstation at the UMass Center for Language, Speech and Hearing (the Center) had been infected and the records of patients being treated for a variety of communication-related issues accessed.
Since it failed to properly designate the Center as a covered entity under the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), UMass did not extend the proper cybersecurity protections to the organization and the Center had no firewall at the time of the hack.
UMass had applied to OCR for a designation known as “hybrid entity” status, described as a way to account for “entities that have some functions that are covered by HIPAA and some that are not.”