Purdue University Discovered Two Security Breaches Potentially Compromising PHI

Purdue University’s security team discovered two security breaches in April that potentially allowed unauthorized persons to gain access of the protected health information (PHI) of patients. A file on Purdue University Pharmacy’s computers indicated an unauthorized person had remotely accessed devices on or around September 1, 2017.

There was only a limited quantity of PHI stored on the computers. Information included the patients’ names, birth dates, identification numbers, internal identification numbers, dates of service, diagnoses, treatment details and billed amount. The computer did not contain Social Security numbers or personal financial information. After investigating the breach, the team did not find any evidence that indicates patient information was stolen and misuse of patient data is not suspected. Nevertheless, patients have now received notifications about the breach as it was not possible to rule out unauthorized access of patients’ PHI with 100% certainty.

The security team investigated the computers of Family Health Clinic of Carroll County in Delphi, IN and also found a malware infection on May 4. The investigation showed the malware was installed around March 15, 2018. It was not disclosed what type of malware was installed but it may have allowed PHI access by unauthorized persons.

The computer contained patients’ names and health insurance numbers, and for some patients, also driver’s license numbers and Medicare numbers. While unauthorized persons could possibly access the data, there was no indication that PHI was viewed or stolen by the attackers. Patients have now been notified and provided with further information on the attack. The people whose Medicare number and/or driver’s license number were exposed also received an offer of free credit monitoring services.

Purdue University’s security team has implemented extra security controls and enhanced network monitoring. Network segmentation and full drive encryption have also been implemented. Purdue University submitted a breach report to the Department of Health and Human Services’ Office for Civil Rights which shows 1,711 persons were affected.