Tuesday, November 29, 2016

UMass agrees to pay fine of $650,000 for exposing electronic health records

The University of Massachusetts Amherst (UMass) has accepted to pay the federal government a fine of $650,000 to settle a 3-year-old healthcare privacy violation of exposing electronic health records that resulted from a malware infection. That’s why it has agreed to pay fine of $650,000 for exposing electronic health records.


In the year of June 2013, the center of university for language, speech and hearing reported a malware infection to the U.S. Department of Health and Human Services Office for Civil Rights that resulted in the unauthorized disclosure of the personal health and financial data of over 1,670 people. The malware infection had resulted in the unauthorized exposure of a host of sensitive information involving sufferer names, addresses, Social Security numbers, and dates of birth, health insurance information, diagnoses and procedure codes.


Few details about the malware attack are vague, like how many unauthorized users had access to the sufferer information and for how long. The University of Massachusetts Amherst claims that the information breach happened due to a Trojan horse attack, a kind of malware that is mostly disguised as legitimate software.


The federal government levied the fine in huge measure because at the time period the University of Massachusetts Amherst did not have a firewall in place securing the electronic health records at its center for language, speech and hearing. “UMass failed to execute technical security measures at the Center to guard against unauthorized access to electronic protected health information transmitted over an electronic communications network by ensuring that firewalls were in place,” in accordance to a statement from the Office for Civil Rights, the branch of the federal government that enforces The Health Insurance Portability and Accountability Act of 1996, or HIPAA, a law that targets to ensure the confidentiality of sufferer medical records.


The Office for Civil Rights determined that in hindsight University of Massachusetts Amherst should have implemented a better job ensuring that the center for language, speech and hearing was part of a protective electronic health network that complied with HIPAA and had adequate firewalls in place to stop the unauthorized approach. The federal government also fined the University for not performing a precise and thorough risk analysis until the month of September 2015 and was enabled of exposing electronic health records.


In addition to the monetary settlement, the UMass has accepted to a corrective action plan that needs it to perform an enterprise-wide risk analysis and establish and implement a risk management plan, claims the Office for Civil Rights.


The UMass also has been needed to revise its policies and processes and train its staff on the HIPAA safeguards being put in place. “HIPAA’s security needs are a significant tool for securing both patient information and business operations against threats like malware,” claims Office for Civil Rights director Jocelyn Samuels.



 

No comments:

Post a Comment