AMHERST — The University of Massachusetts will pay $650,000 to the federal government after the disclosure of personal and health information of some 1,670 people following a computer virus at a workstation on campus in 2013.
UMass officials said Friday there is no evidence indicating that any data was copied from the workstation.
The settlement with the U.S. Department of Health and Human Services was announced for the potential Health Insurance Portability and Accountability Act violations resulting from the June 2013 incident. At that time, the university reported to the Office for Civil Rights that a workstation at the Center for Language, Speech and Hearing became infected with a malware program — triggering the disclosure of personal health information associated with roughly 1,670 people.
The information included names, addresses, Social Security numbers, dates of birth, health insurance information, diagnoses and procedure codes, according to the Department of Health and Human Services. The agency enforces federal standards related to the privacy of personal health information.
UMass spokesman Edward Blaguszewski said in an email Friday that there was no evidence that the information was ever accessed by a third party. UMass has also taken steps to develop a corrective action plan — which was also an agreement included in the settlement — to improve security measures, Blaguszewski said.
The breach was possible because the university did not have a firewall programmed onto the computer workstation in question, according to the federal agency.
“The University of Massachusetts Amherst recognizes that corrective action is needed to ensure the security of individuals’ protected health information,” Blaguszewski said in the email. “The university has already begun work to develop and implement a plan to improve its procedures to ensure the security of such private electronic records.”
He continued, “In the case cited by HHS, the university voluntarily reported the discovery of malware on a workstation. An intensive evaluation of the incident located no evidence suggesting or indicating that any data was copied from the workstation, but could not rule out the possibility. The university received no reports of a third party gaining access to protected health information.”
Office of Civil Rights Director Jocelyn Samuels also issued this statement in announcing the settlement.
“HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware. Entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”