Malware may have put some UMass patients' PHI at risk
The University of Massachusetts (UMass) at Amherst’s University Health Services (UHS) has disclosed a malware-infected workstation may have put some patients’ protected health information (PHI) at risk between June 30 and Sept. 29, 2010, according to a March 7 letter posted on the UHS website. UHS is the university's campus health center, offering care, education and referral services for students, faculty and staff.
The UHS workstation was inadvertently infected with a malware program that infected the user profile on June 30, 2010, according to the letter. Information potentially at risk included first and last names, health insurance company names, and medical record numbers. In addition, information concerning prescriptions dispensed between Jan. 2 and Nov. 17, 2009, including the names of medication dispensed, dispensing pharmacists’ names, the quantity, number of days of prescriptions, and physicians' names, was potentially compromised, the letter stated.
Information on 942 patients was reportedly affected.
“The vulnerability on the workstation was corrected on Oct. 28, 2010. The workstation’s disk drive was subsequently removed from the system and forwarded to the university’s Office of Information Technologies for analysis,” the letter stated.
The university conducted an intensive evaluation of the incident to determine its nature and scope, has completed its investigation and has found no evidence to suggest or indicate that any data was copied from the UHS workstation, the letter stated.
Although the risk of theft of this information is low, it cannot be determined with certainty whether any PHI was extracted, according to the letter. Affected patients were advised to be on the lookout for unusual prescriptions activity or health insurance claims to limit the likelihood of misuse of medical identity and PHI.
The university has implemented steps to keep the potential breach from happening again, according to the letter. The steps include:
The UHS workstation was inadvertently infected with a malware program that infected the user profile on June 30, 2010, according to the letter. Information potentially at risk included first and last names, health insurance company names, and medical record numbers. In addition, information concerning prescriptions dispensed between Jan. 2 and Nov. 17, 2009, including the names of medication dispensed, dispensing pharmacists’ names, the quantity, number of days of prescriptions, and physicians' names, was potentially compromised, the letter stated.
Information on 942 patients was reportedly affected.
“The vulnerability on the workstation was corrected on Oct. 28, 2010. The workstation’s disk drive was subsequently removed from the system and forwarded to the university’s Office of Information Technologies for analysis,” the letter stated.
The university conducted an intensive evaluation of the incident to determine its nature and scope, has completed its investigation and has found no evidence to suggest or indicate that any data was copied from the UHS workstation, the letter stated.
Although the risk of theft of this information is low, it cannot be determined with certainty whether any PHI was extracted, according to the letter. Affected patients were advised to be on the lookout for unusual prescriptions activity or health insurance claims to limit the likelihood of misuse of medical identity and PHI.
The university has implemented steps to keep the potential breach from happening again, according to the letter. The steps include:
- Increased and improved security training for system administrators;
- Installation of automated software to detect malicious activity;
- Increased efforts by central IT staff to identify files in departmental computers containing personal information;
- Refresher training on security practices for UHS staff;
- Additional monitoring of UHS staff adherence to security policies; and
- Train all new employees on security practices.