UMass to Pay $650K HIPAA Breach Penalty After Trojan Malware Hack November 2016

Federal authorities hinted the monetary portion of the settlement might have been higher but the government took into account that the public university lost money in 2015.

Aldrin Brown, Editor-in-Chief

November 24, 2016

2 Min Read
UMass to Pay 650K HIPAA Breach Penalty After Trojan Malware Hack
UMass is the latest organization to pay up under a federal crackdown of HIPAA cybersecurity rules that has collected $23.5 million so far this year.

University of Massachusetts at Amherst (UMass) has agreed to pay $650,000 to settle a case alleging it failed to properly identify all of its component organizations that would handle electronic protected health information (ePHI) and one of those groups was later hacked, compromising the records of 1,670 people.

Investigators with the U.S. Department of Health and Human Services Office of Civil Rights (OCR) launched a probe on June 4, 2013, after receiving a repot that a workstation at the UMass Center for Language, Speech and Hearing (the Center) had been infected and the records of patients being treated for a variety of communication-related issues accessed.

Since it failed to properly designate the Center as a covered entity under the Security Rule of the Health Insurance Portability and Accountability Act (HIPAA), UMass did not extend the proper cybersecurity protections to the organization and the Center had no firewall at the time of the hack.

UMass had applied to OCR for a designation known as “hybrid entity” status, described as a way to account for “entities that have some functions that are covered by HIPAA and some that are not.”

“UMass had failed to designate all of its health care components when hybridizing, incorrectly determining that while its University Health Services was a covered health care component, other components, including the Center where the breach of ePHI occurred, were not covered components,” according to a Nov. 22 statement from OCR. “Because UMass failed to designate the Center a health care component, UMass did not implement policies and procedures at the Center to ensure compliance with the HIPAA Privacy and Security Rules.”

OCR investigators also found:

  • UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the Center. 

  • Finally, UMass did not conduct an accurate and thorough risk analysis until September 2015. 

The hacked data included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” OCR Director Jocelyn Samuels said in a statement. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

It’s not clear which portions of the Center’s operations would not have been bound by HIPAA regulations.

Thus far in 2016, healthcare organizations and, in some cases, the IT contractors they hired, have agreed to pay a combined $23.5 million to settle more than a dozen cases alleging they mishandled ePHI, as per HIPAA rules.

That’s up from just $6.2 million in all of 2015.


Send tips and news to [email protected].

Read more about:


About the Author(s)

Aldrin Brown

Editor-in-Chief, Penton

Veteran journalist Aldrin Brown comes to Penton Technology from Empire Digital Strategies, a business-to-business consulting firm that he founded that provides e-commerce, content and social media solutions to businesses, nonprofits and other organizations seeking to create or grow their digital presence.

Previously, Brown served as the Desert Bureau Chief for City News Service in Southern California and Regional Editor for Patch, AOL's network of local news sites. At Patch, he managed a staff of journalists and more than 30 hyper-local and business news and information websites throughout California. In addition to his work in technology and business, Brown was the city editor for The Sun, a daily newspaper based in San Bernardino, CA; the college sports editor at The Tennessean, Nashville, TN; and an investigative reporter at the Orange County Register, Santa Ana, CA.


Free Newsletters for the Channel
Register for Your Free Newsletter Now

You May Also Like