The University of Massachusetts at Amherst entered into a resolution agreement with the Department of Health and Human Services settling alleged security violations.
The University reported that a workstation in its Center for Language, Speech and Hearing was infected with malware. That malware infiltrated the University’s computer system and potentially provided unauthorized access to protected health information of 1,670 individuals. The PHI included names, addresses, birthdates, Social Security Numbers, diagnosis information and procedure code.
HHS determined that the Center should have been designated as a health care component of the University as a hybrid entity. Since the Center was not identified as a health care component, the University did not properly conduct a risk assessment of the PHI it held. The university paid $650,000 and agreed to a corrective action plan.
