The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI

Posted By on May 31, 2018

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients.

In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017.

The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer.

An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have been notified of the breach.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

During the course of the investigation, the security team also discovered a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was detected on May 4. The investigation revealed it has been installed on the computer on or around March 15, 2018.

The type of malware used in the attack was not disclosed, although it is possible it allowed unauthorized individuals to gain access to PHI.

Information stored on the computer included patients’ names, health insurance numbers, and some patients’ driver’s license numbers and Medicare numbers. While data access was possible, no evidence was uncovered to suggest any PHI was viewed or stolen in the attack, although since this could not be totally ruled out patients have been notified. Patients whose driver’s license number and/or Medicare number were exposed have been offered free credit monitoring services for a year.

The breaches have prompted Purdue University’s security team to implement additional security controls and enhance monitoring. The network will also be segmented and full drive encryption will be implemented.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,711 individuals were impacted by these incidents.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist