The University of Massachusetts Amherst has agreed to a HIPAA breach settlement of $650,000. The OCR admits that the penalty is lower than it could have been because the figure takes into account the fact that the university operated at a financial loss in 2015.

The breach at UMass Amherst occurred in June 2013. The OCR determined that due to the university’s lack of firewall, a computer in the Center for Language, Speech, and Hearing was infected with malware. This resulted in the disclosure of 1,670 individual’s private information including names, addresses, dates of birth, social security numbers, health insurance information, diagnoses, and procedure codes.

In addition to the financial settlement, UMasss Amherst has agreed to implement a corrective action plan which includes completing an enterprise-wide risk analysis, developing and implementing a risk management plan, updating policies and procedures, and increasing staff training.