Malware Infection Causes Breach – Lack of Firewall – Hybrid Entity
Friday, January 27th, 2017Malware Infection and Lack of Firewall Protection Causes Breach
In yet another significant settlement by OCR, the University of Massachusetts Amherst (UMass) agreed to a monetary penalty of $650,000 resulting from a workstation that was contaminated with a malware program and resulted in impermissible disclosure of electronic health information. This disclosure involved information about 1,670 individuals and included names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes. The provider had determined that the malware was a generic remote access Trojan that was able to infiltrate their system because a proper firewall was not in place.
Central to OCR’s analysis was that the provider had failed to identify the components located in its hearing center as being part of covered components. This resulted in the provider failing to apply and ensure compliance with HIPAA privacy and security rules at that location. HIPAA permits legal entities that have some functions that are covered by HIPAA and some that are not to elect to become a “hybrid entity.” To successfully “hybridize,” the entity must designate in writing the health care components that perform functions covered by HIPAA and assure HIPAA compliance for its covered health care components. It was the failure to proper follow the hybrid entity rules that left the components at the applicable site vulnerable to outside malware attack.
UMass failed to implement technical security measures at the Center to guard against unauthorized access to ePHI transmitted over an electronic communications network by ensuring that firewalls were in place at the applicable location. This settlement stresses the need to assure that all protected information is properly secured and that firewalls are used when needed. It is also instructional regarding the proper application of the rules relating to hybrid status.