Data Breach at UMass Leads to Settlement; Sends Warning to Healthcare Providers About Policies and Procedures

The University of Massachusetts Amherst (UMass) has agreed to a $650,000 settlement with the U.S. Department of Health & Human Services (HHS) over potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In June 2013, UMass reported to HHS that a workstation at the University’s Center for Language, Speech, and Hearing was infected with a malware program, resulting in the exposure of the electronic protected health information (ePHI) of 1,670 people. This included the disclosure of names, addresses, social security numbers, dates of birth, health insurance information, diagnoses, and procedure codes. After a review, UMass determined that they were vulnerable to the malware because they did not have a firewall in place.

The HHS Office for Civil Rights investigated the incident and found the following potential HIPAA violations:

• UMass did not implement policies and procedures at the Center for Language, Speech, and Hearing to ensure compliance with HIPAA, and failed to designate its health care components properly. (emphasis added)
• UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place.
• UMass did not conduct an accurate and thorough risk analysis until September 2015, more than two years after the malware infection.

HHS Office for Civil Rights Director Jocelyn Samuels commented on the case by saying that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware.”

UMass, in addition to paying the $650,000 monetary settlement, has agreed to do the following:

• Conduct an enterprise-wide risk analysis.
• Develop and implement a risk management plan.
• Revise its policies and procedures and retrain its staff.

insideARM Perspective

This case is a teachable moment for healthcare providers that handle the ePHI of patients, demonstrating the importance -- not only of HIPAA compliance and a sound cybersecurity strategy -- but also maintenance of policies and procedures in general.

Healthcare providers have a range of new and evolving responsibilities. These include understanding the full spectrum of compliance requirements, having proper policies and procedures in place, and adopting an audit process to ensure they are followed.

In addition to HHS, providers need to be concerned with the Consumer Financial Protection Bureau (CFPB). The CFPB has signaled in several ways that is looking at medical debt. One example is the fact that they held a field hearing on medical debt in December 2014. When the CFPB gets to the point of holding a field hearing on a topic, it typically means they are well down that path. Another example is this CFPB enforcement action for lack of policies and procedures, against a company that services medical debt on behalf of hospitals, doctors, and other healthcare providers.

insideARM has produced materials recently to help healthcare providers address these challenges, available for purchase in our Data Security and Revenue Cycle Management toolboxes.

Also, be sure to join the Compliance Professionals Forum (CPF) to stay on top of this issue in the coming months - you’ll get free access to the above materials, in addition to nearly all of insideARM’s time-saving compliance resources and intelligence, for free, with your CPF membership.

Click here to learn more about joining CPF today!