As part of their crackdown, federal regulators have issued their 13th major HIPAA enforcement this year. The University of Massachusetts Amherst were given a $650,000 fine and a corrective action plan to fix the issues found by the US Department of Health and Human Services Office for Civil Rights. The agency went out of their way to imply the fine could have been larger by pointing out that University recorded a financial loss in 2015.
In June of 2013 a computer in UMass’s Center for Language, Speech, and Hearing was infected with a Trojan virus that lead to the disclosure of the personal data; including names, addresses, Social Security numbers, dates of birth, health insurance information, and diagnoses of 1,670 patients. All because UMass didn’t have a firewall.
OCR investigators discovered multiple HIPAA violations including not recognizing the center as being covered by HIPAA. Consequently, they didn’t implement the bare minimum of security procedures such as using firewalls in order to protect electronic personal health information that was being sent over their network. Additionally, UMass didn’t conduct a risk analysis until September 2015.On top of the financial settlement, UMass has agreed to implement a corrective action plan. As part of this plan, they will perform a university-wide risk analysis, come up with and implement a risk management plan, and train its staff on HIPAA policies and procedures.