HIPAA Horror Stories

Trojan Horse Attack Hits UMass

one-minute read

Malware infections are a common problem on today’s digital landscape. But when the attack involves Electronic Protected Health Information (ePHI), the situation can have disastrous consequences.

Trojan Horse Attack Hits Major Medical Center

When the prestigious University of Massachusetts – Amherst (UMass) reported that a workstation at its Center for Language, Speech, and Hearing (the “Center”) was hit with a “trojan horse” attack, resulting in the unauthorized release of 1,670 patient records, the Feds launched an investigation.

A trojan horse attack is a malware infection disguised as trusted software that hackers insert into a victim’s computer. The hacker exploits the operator’s trust with a harmless-looking email or fake software update that compromises the machine when loaded.

Patient Details Disclosed in Trojan Horse Attack

UMass’s Trojan Horse breach was  catastrophic, disclosing patient names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.

The Office for Civil Rights (OCR), the Department of Health and Human Service’s agency tasked with investigating violations the Health Insurance Portability and Accountability Act (HIPAA), investigated and determined UMass had used poor judgment and lax procedures in its data protection practice.

“Hybrid” entity creates Trojan Horse Vulnerability

The first problem OCR identified had to do with a mistake in the way UMass managed its “hybrid” data. The University incorrectly designated its Center as a “health care component.” As a result, the data was not protected adequately, in violation of the HIPAA Security Rule, which details how protected health information must be managed by Covered Entities and Business Associates.

During its investigation, OCR discovered that UMass hadn’t conducted a HIPAA Risk Analysis at the Center in years. UMass also failed to deploy required data firewalls to protect its Center workstations.

UMass agreed to pay OCR a $650,000 penalty and undergo an extensive, corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.

Could your organization be misclassifying its data? Is your team prepared for a Trojan Horse Attack? We can help.


The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Service | Privacy Policy

Powered by JEMSU

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
Saint Louis, MO 63124

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free