Massachusetts Hospital Settles HIPAA Violations for $650,000

The University of Massachusetts Amherst (UMass) recently settled potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules from a malware attack in 2013.

UMass reported to the U.S. Department of Health and Human Services, Office for Civil Rights (OCR) that a workstation in its Center for Language, Speech, and Hearing was infected with a malware program, resulting in the impermissible disclosure of electronic protected health information (ePHI) of 1,670 individuals, including names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

The settlement also includes a corrective action plan in addition to a monetary payment of $650,000. The plan requires the health system to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.

About The Author