HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI

Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients.

In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017.

The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer.

An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have been notified of the breach.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

During the course of the investigation, the security team also discovered a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was detected on May 4. The investigation revealed it has been installed on the computer on or around March 15, 2018.

The type of malware used in the attack was not disclosed, although it is possible it allowed unauthorized individuals to gain access to PHI.

Information stored on the computer included patients’ names, health insurance numbers, and some patients’ driver’s license numbers and Medicare numbers. While data access was possible, no evidence was uncovered to suggest any PHI was viewed or stolen in the attack, although since this could not be totally ruled out patients have been notified. Patients whose driver’s license number and/or Medicare number were exposed have been offered free credit monitoring services for a year.

The breaches have prompted Purdue University’s security team to implement additional security controls and enhance monitoring. The network will also be segmented and full drive encryption will be implemented.

The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,711 individuals were impacted by these incidents.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.