Malware infections are a common problem on today’s digital landscape. But when the attack involves Electronic Protected Health Information (ePHI), the situation can have disastrous consequences.
Trojan Horse Attack Hits Major Medical Center
When the prestigious University of Massachusetts – Amherst (UMass) reported that a workstation at its Center for Language, Speech, and Hearing (the “Center”) was hit with a “trojan horse” attack, resulting in the unauthorized release of 1,670 patient records, the Feds launched an investigation.
A trojan horse attack is a malware infection disguised as trusted software that hackers insert into a victim’s computer. The hacker exploits the operator’s trust with a harmless-looking email or fake software update that compromises the machine when loaded.
Patient Details Disclosed in Trojan Horse Attack
UMass’s Trojan Horse breach was catastrophic, disclosing patient names, addresses, social security numbers, dates of birth, health insurance information, diagnoses and procedure codes.
The Office for Civil Rights (OCR), the Department of Health and Human Service’s agency tasked with investigating violations the Health Insurance Portability and Accountability Act (HIPAA), investigated and determined UMass had used poor judgment and lax procedures in its data protection practice.
“Hybrid” entity creates Trojan Horse Vulnerability
The first problem OCR identified had to do with a mistake in the way UMass managed its “hybrid” data. The University incorrectly designated its Center as a “health care component.” As a result, the data was not protected adequately, in violation of the HIPAA Security Rule, which details how protected health information must be managed by Covered Entities and Business Associates.
During its investigation, OCR discovered that UMass hadn’t conducted a HIPAA Risk Analysis at the Center in years. UMass also failed to deploy required data firewalls to protect its Center workstations.
UMass agreed to pay OCR a $650,000 penalty and undergo an extensive, corrective action plan that requires the organization to conduct an enterprise-wide risk analysis; develop and implement a risk management plan; revise its policies and procedures, and train its staff on these policies and procedures.
Could your organization be misclassifying its data? Is your team prepared for a Trojan Horse Attack? We can help.