Purdue University Uncovers Data Security Incidents that Potentially Compromised PHI
Two security breaches have been discovered by Purdue University’s security team that have potentially resulted in unauthorized individuals gaining access to the protected health information of patients.
In April, Purdue University’s security team discovered a file on computers used by Purdue University Pharmacy indicating the devices had been remotely accessed by an unauthorized individual. The file was placed on the devices around September 1, 2017.
The computers contained a limited amount of protected health information including patients’ names, dates of birth, dates of service, identification numbers, internal identification numbers, diagnoses, treatment information, and amounts billed. No personal financial information or Social Security numbers were stored on the computer.
An investigation into the breach did not uncover any evidence to suggest any patient information was stolen and no reports have been received to suggest any patient data have been misused. However, since it was not possible to rule out unauthorized PHI access with a high degree of certainty, patients have been notified of the breach.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
During the course of the investigation, the security team also discovered a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was detected on May 4. The investigation revealed it has been installed on the computer on or around March 15, 2018.
The type of malware used in the attack was not disclosed, although it is possible it allowed unauthorized individuals to gain access to PHI.
Information stored on the computer included patients’ names, health insurance numbers, and some patients’ driver’s license numbers and Medicare numbers. While data access was possible, no evidence was uncovered to suggest any PHI was viewed or stolen in the attack, although since this could not be totally ruled out patients have been notified. Patients whose driver’s license number and/or Medicare number were exposed have been offered free credit monitoring services for a year.
The breaches have prompted Purdue University’s security team to implement additional security controls and enhance monitoring. The network will also be segmented and full drive encryption will be implemented.
The breach report submitted to the Department of Health and Human Services’ Office for Civil Rights indicates 1,711 individuals were impacted by these incidents.