On November 22, 2016, the Department of Health and Human Services, Office for Civil Rights (“OCR”) announced it had entered into a settlement for potential violations of the HIPAA Privacy and Security Rules with the University of Massachusetts Amherst (“UMass”). The $650,000 settlement resolves issues in connection with UMass’s June 18, 2013 report to OCR that malware containing a generic remote access Trojan had infiltrated its system through a workstation in the UMass Center for Language, Speech, and Hearing (“Center”), thereby enabling impermissible access to the electronic protected health information (“ePHI”) of 1,670 individuals.

The Breach

  • Because UMass had designated itself as a hybrid entity but had improperly considered the Center a non-health care component, the Center did not have a firewall in place to prevent the malware.
    • UMass considers itself a “hybrid” entity under HIPAA—meaning that it is a single legal entity containing multiple components that perform both covered functions (functions related to the entity’s operations as a health care provider, health plan, or health care clearinghouse) and non-covered functions. Each health care component of a hybrid entity must abide by the requirements of the HIPAA Privacy and Security Rules.
    • UMass failed to properly designate all of its health care components and accordingly failed to implement policies and procedures for some health care components, like the Center, to ensure that each component complied with the HIPAA Privacy and Security Rules. Because the Center did not have appropriate privacy and security policies and processes in place, including a firewall to protect the Center’s workstations, a workstation was infected with malware that spread through the UMass system.
  • Additionally, UMass failed to perform an accurate and thorough security risk analysis until September 2015, more than 10 years after the HIPAA Security Rule first required it to do so.

Settlement Terms

OCR and UMass entered into a resolution agreement and a two-year corrective action plan that requires UMass to: (1) conduct a comprehensive and thorough security risk analysis; (2) develop an enterprise-wide risk management plan to address any security risks and vulnerabilities found in the risk analysis; (3) review and revise any current policies and procedures on privacy and breach notification; (4) implement technical security measures and ensure firewalls are in place; and (5) educate and train staff to ensure that similar incidents do not occur in the future.

The Lesson

In a press release announcing the settlement, OCR Director Jocelyn Samuels noted that “HIPAA’s security requirements are an important tool for protecting both patient data and business operations against threats such as malware.” She added, “entities that elect hybrid status must properly designate their health care components and ensure that those components are in compliance with HIPAA’s privacy and security requirements.”

Further Thoughts

This settlement—the first HIPAA settlement concerning malware—contributes to the record number of OCR settlements concluded during 2016. Through the first 11 months of 2016, OCR has reached 12 HIPAA settlements, twice the number of settlements made in all of 2015. This year also has witnessed the rise of ransomware attacks, with some attacks against hospitals making national news. In response to this fast-growing threat, OCR released a HIPAA guidance document on ransomware in July.

Ransomware is a particular type of malware or malicious software that hackers use to infect computers or other devices. Like other malware, ransomware can be received through spam, phishing emails, or malicious files or attachments. Unlike other malware, however, once received, ransomware encrypts the device’s data with an access key known only to the hacker, making it impossible for anyone other than the hacker to gain access to the device’s information. The hacker typically will force users to pay a ransom to obtain the access key to decrypt the data. In some cases, hackers deploy ransomware to destroy or exfiltrate (impermissibly transfer or extract) data from a system.

OCR has noted that the presence of ransomware or malware on a covered entity’s or business associate’s computer system is a HIPAA security incident that should be presumed to be a breach of ePHI requiring breach notification unless the entity can demonstrate, following a thorough risk assessment, that there was a low probability that the PHI was compromised. Although the malware in this incident was not ransomware, this settlement indicates that OCR has considered for some time and will continue to consider incidents of malware and ransomware as potential breaches ripe for enforcement response. Until covered entities and business associates take more systematic steps to prevent and detect malware, further settlements involving malware of all types are a virtual certainty.