Malware Attack Results in Large HIPAA Settlement

December 22, 2016

Recently an East Coast university reached a $650,000 settlement with the Department of Health and Human Services (HHS) as a result of a malware attack that resulted in the breach of ePHI. In 2013, the university reported to HHS that one of the workstations at a university facility had been infected with malware resulting in the breach of more than 1,600 individuals' ePHI. This facility was particularly vulnerable to attack because the university had incorrectly determined that it was not a covered health component under the hybrid entity rule. A hybrid entity is one single legal entity that performs both covered and non-covered functions. The entity can chose whether or not to be a hybrid entity, but if they chose to be one they must define and designate all of its health care components. In addition to the fine, the university must also conduct a comprehensive risk analysis with a focus on properly classifying all university facilities. HHS had indicated the fine would have been higher but that it took into consideration the fact that the university had operated at a loss in 2015. This settlement emphasizes the importance of having proper security programs installed on all workstations and training employees on how to detect and prevent malware attacks.

Please reload

Featured Posts

HIPAA Fines--Not Going Away!

January 15, 2016

The Office of Civil Rights (OCR) of the U.S. Department of Health and Human Services recently announced a resolution agreement with Triple-S Managemen...

1/3
Please reload

Recent Posts
Please reload

Archive
Please reload

© 2019 by Ledbetter Parisi LLC.