UMass Amherst Hit with $650,000 HIPAA SettlementMalware-Related Breach Affected a Unit that Should Have Been HIPAA Compliant
In the 13th major HIPAA enforcement action so far this year, federal regulators have slapped the University of Massachusetts Amherst with a $650,000 financial settlement and corrective action plan after investigating a relatively small 2013 breach involving a malware infection at a campus speech and language center.
In a Nov. 22 statement, the U.S. Department of Health and Human Service's Office for Civil Rights acknowledges that the UMass settlement amount reflects "the fact that the university operated at a financial loss in 2015," implying that the financial payment could have been much higher.
Privacy attorney David Holtzman, vice president of compliance at security consulting firm CynergisTek, says the settlement with UMass Amherst should serve as "a wake-up call to other colleges and universities that offer healthcare-related services to students, faculty or others ... and receive reimbursements from third parties. UMass failed to include its language, speech and hearing healthcare services as a designated HIPAA covered component subject to HIPAA privacy and security rule requirements, including performing a risk assessment."
Breach Affected Less Than 1,700
OCR in its statement says that on June 18, 2013, UMass reported that a workstation in its Center for Language, Speech, and Hearing was infected with malware, resulting in the impermissible disclosure of electronic protected health information of 1,670 individuals, including names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
"The university determined that the malware was a generic remote access Trojan that infiltrated their system, providing impermissible access to ePHI, because UMass did not have a firewall in place," the OCR statement says.
OCR says its breach investigation found the following potential violations of HIPAA:
- While UMass correctly identified that its University Health Services was a HIPAA-covered healthcare component, it failed to designate the center where the breach of ePHI occurred as a HIPAA-covered component, and thus "did not implement policies and procedures at the center to ensure compliance with the HIPAA privacy and security rules."
- UMass failed to implement technical security measures at the speech and language center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place.
- UMass did not conduct an accurate and thorough risk analysis until September 2015.
OCR notes that the HIPAA Privacy Rule permits entities that have some functions that are covered by HIPAA and some that are not to elect to become a "hybrid entity." To successfully "hybridize," the entity must designate in writing the healthcare components that perform functions covered by HIPAA and ensure HIPAA compliance for those components, OCR explains.
UMass, in its hybrid strategy, failed to designate the speech, language and hearing center where the breach occurred as a HIPAA-covered component.
"HIPAA's security requirements are an important tool for protecting both patient data and business operations against threats, such as malware," OCR director Jocelyn Samuels said in the statement. "Entities that elect hybrid status must properly designate their healthcare components and ensure that those components are in compliance with HIPAA's privacy and security requirements."
Corrective Action Plan
In addition to the monetary settlement, as part of the resolution agreement with OCR, UMass has agreed to a corrective action plan that requires the organization to:
- Conduct an enterprisewide risk analysis;
- Develop and implement a risk management plan, including revising its policies and procedures;
- Train its staff on these HIPAA policies and procedures.
In a statement provided to Information Security Media Group, a UMass spokesman says: "The University of Massachusetts Amherst recognizes that corrective action is needed to ensure the security of individuals' protected health information. The university has already begun work to develop and implement a plan to improve its procedures to ensure the security of such private electronic records.
"In the case cited by HHS, the university voluntarily reported the discovery of malware on a workstation. An intensive evaluation of the incident located no evidence suggesting or indicating that any data was copied from the workstation, but could not rule out the possibility. The university received no reports of a third party gaining access to protected health information."
Lessons to Learn
Privacy attorney Kirk Nahra of the law firm Wiley Rein, notes: "This is a very interesting case because of the university setting, which brings together HIPAA, FERPA and other laws," he says. FERPA, or the Family Educational Rights and Privacy Act, is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.
"The challenge in these settings is to draw lines between activities that are inside HIPAA and those that aren't, and in this case they drew the line wrong and then had a breach in the place where the line should have crossed," Nahra says. "So, this is another reminder - even in these settings where there are non-HIPAA parts - to make sure you are very careful with where your information goes, and where your security program covers it."
Holtzman also notes that while FERPA regulations aim to protect student privacy, they do not include a data security rule, as HIPAA does.
"The malware breach at UMass was a symptom that the university had not recognized that [the speech and language center] was also subject to complying with HIPAA regulations, including conducting a security risk assessment," Holtzman says.