OCR Announces $650,000 HIPAA Settlement with the University of Massachusetts Amherst.

Date posted: December 1, 2016

The University of Massachusetts Amherst (UMass) recently settled alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  Under the settlement, UMass agreed to pay $650,000 and implement corrective actions for a breach affecting 1,670 individuals stemming from a malware program that infected a workstation in the UMass Center for Language, Speech, and Hearing.  OCR initiated an investigation upon receiving a report from UMass in June 2013 regarding the impermissible disclosure of electronic protected health information (ePHI) resulting from the breach.  The compromised ePHI included names, addresses, social security numbers, birthdates, health insurance information, and procedure codes.

The OCR investigation revealed the following:

  • UMass did not designate the Center for Language, Speech, and Hearing  as a covered health care component under the Privacy Rule, resulting in a failure to implement the appropriate policies and procedures;
  • UMass failed to implement adequate security measures to protect against unauthorized access to ePHI, such as firewalls; and
  • UMass failed to conduct a thorough risk analysis until September 2015.

Further, OCR imposed a corrective action plan (CAP) requiring UMass to develop and implement a risk management plan and conduct an enterprise-wide risk analysis.  The CAP also calls for UMass to create and revise existing policies and procedures, and train staff members on the new guidelines.

The OCR press release is available at:


Department of Health and Human Services Office for Civil Rights.  “UMass Settles Potential HIPAA Violations Following Malware Infection.”  Press Release.  22 Nov. 2016.

‹ Return to the Main News Page
‹ Return to the CRC Homepage