The following statement was posted on UMass Amherst’s web site on March 7:
The University of Massachusetts Amherst is notifying clients of University Health Services (UHS) whose protected health information was possibly revealed after a workstation was inadvertently infected with a malware program.
The malware infection occurred on June 30, 2010 and the vulnerability on the workstation was corrected on Oct. 28, 2010. A subsequent investigation by the Office of Information Technologies at UMass Amherst found no evidence suggesting or indicating that any data was copied from the UHS workstation, which contained patient’s names, their health insurance company names, medical record numbers and information on prescriptions dispensed between Jan. 2, 2009 and Nov. 17, 2009, including the medication, dispensing pharmacist, quantity, length of prescription and the physician’s name.
University officials, while stressing that the risk of theft of the information is low, are notifying individuals whose data was on the affected workstation in accordance with the federal Health Information Technology for Economic and Clinical Health Act (HITECH).
In a letter to the affected patients, Bernette A. Melby, executive director of UHS, advises them to pay close attention to “any unusual activity with respect to your prescriptions and health insurance claims to limit the likelihood of misuse of your medical identity and personal health information.”
The letter adds that UMass Amherst officials have taken steps to increase and improve security training for system administrators, installed automated software to detect malicious activity and increased efforts by central technology staff to identify files in departmental computers containing personal information. In addition, current and new UHS staff members are receiving additional training in security practices.
Patients may call 877-255-0045 for additional information.
Joseph Goedert of Health Data Management, who first reported the breach, indicates that 942 patients were affected.
Not surprisingly, the statement leads to a number of questions:
1. Why are those affected first being notified now if the infection was discovered by October 2010? And will HHS do anything about the late notification? HITECH has a 60-day window for notification.
2. Why wasn’t the infection discovered more promptly? Did they have any software on the system prior to this incident that would have detected malware?
3. How did the malware get on the system?
SHAME SHAME SHAME – June 2010 and only now telling us!