University of Massachusetts Amherst was recently hit with a Health Insurance Portability and Accountability Act (HIPAA) compliance settlement by federal regulators after suffering an healthcare security breach in 2013, according to DataBreachToday.com. The school had failed to include its Language, Speech, and Hearing Healthcare Services as part of a HIPAA-covered component of its health care system, meaning that the speech and hearing healthcare center was not subject to HIPAA privacy and security rule requirements when it should have been. Similarly, no security risk assessments were performed on the  center until late in 2015.

Since UMass Amherst is an educational institution, it places the healthcare security breach in a unique context. In a university setting, certain components of the school are required to be HIPAA compliant and others are not. The university is responsible for drawing the line between what components need to be covered by special security measures and which do not.

Malware Causes Significant Healthcare Security Breach

A computer in the UMass Amherst’s Center for Language Speech and Hearing that was not equipped with a firewall. This computer became infected with malware the summer of 2013, which resulted in the unauthorized disclosure of protected electronic information of 1,700 students, faculty and employees. Social Security numbers, names, dates of birth, addresses, health insurance information, medical diagnosis and medical procedure codes are just some of the types of student and employee data that was exposed in the breached. There was no clear evidence whether any data was copied from the breached computer, but it could not be ruled out and it is assumed that the data of the 1,700 affected individuals was exposed in the breach.

HIPAA Compliance Settlement

Despite the security breach being relatively small compared to some other health care system breaches in the past, UMass Amherst was required by federal regulators to pay $650,000 in a settlement and was required to adopt and implement a corrective action plan. The corrective action plan requires that the school:

• Must create and implement a risk management plan for the future.
• Review and revise the school’s policies and procedures concerning the identification of HIPAA-covered components of their operations.
• Perform a organization-wide risk analysis.
• Take time to train and/or retrain all employees concerning HIPAA compliance, procedures, and policies.

Individual’s protected health information was exposed as a result of the security breach at UMass Amherst. The school was unable to confirm that the breached information ended up in the hands of a third party, but the possibility of this potential outcome could not be overlooked.

Cyber Security is a rapidly changing area of law, and data breach attorneys at Revision Legal works hard to stay up to date on the current state of cyber security. Revision Legal has worked with businesses of all sizes to assess health care and other data breach issues and has helped clients in all 50 states. If you are concerned that your personal information that is protected by HIPAA has been exposed or is insecure, you should not delay in contacting the experienced data breach attorneys at Revision Legal as soon as you can. Please feel free to reach out to us today if you need the legal team from Revision Legal in your corner. Contact us using the form on this page or call us at 855-473-8474.

Photo Credit to Flickr user Ryan Scott.