Recently an East Coast university reached a $650,000 settlement with the Department of Health and Human Services (HHS) as a result of a malware attack that resulted in the breach of ePHI. In 2013, the university reported to HHS that one of the workstations at a university facility had been infected with malware resulting in the breach of more than 1,600 individuals' ePHI. This facility was particularly vulnerable to attack because the university had incorrectly determined that it was not a covered health component under the hybrid entity rule. A hybrid entity is one single legal entity that performs both covered and non-covered functions. The entity can chose whether or not to be a hybrid entity, but if they chose to be one they must define and designate all of its health care components. In addition to the fine, the university must also conduct a comprehensive risk analysis with a focus on properly classifying all university facilities. HHS had indicated the fine would have been higher but that it took into consideration the fact that the university had operated at a loss in 2015. This settlement emphasizes the importance of having proper security programs installed on all workstations and training employees on how to detect and prevent malware attacks.
top of page
bottom of page