A malware infection on a workstation unprotected by a firewall had substantial consequences at the university.
A malware infection on a workstation unprotected by a firewall had substantial consequences at the university.

As a consequence of a malware infection on one workstation, which resulted in the exposure of personal data on nearly 1,700 individuals, the University of Massachusetts at Amherst will pay $650,000 to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules, according to a release from the U.S. Department of Health & Human Services (HHS).

The troubles began for UMass on June 18, 2013, when administrators alerted the Office for Civil Rights (OCR) at HHS that a workstation in its Center for Language, Speech and Hearing had been hit with a malware infection. The bug led to the exposure of electronic protected health information (ePHI) that included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

A number of "potential" violations of the HIPAA rules were brought to bear, including UMass's failure to "designate all of its health care components when hybridizing," thus not implementing policies and procedures to ensure compliance. By not having a firewall in place at the Center, the school also failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network. 

Additionally, UMass was charged with not conducting an accurate and thorough risk analysis until September 2015. 

“HIPAA's security requirements are an important tool for protecting both patient data and business operations against threats such as malware,” said OCR Director Jocelyn Samuels in the HHS statement. “Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA's privacy and security requirements.”  

The agreement also includes a corrective action plan requiring UMass to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures; and train its staff on these policies and procedures.