PHI-Exposing Data Safety Incidents Discovered by Purdue University

June 02, 2018


Purdue University has discovered two security breaches that might have led to illegal people getting access to the protected health information of patients.

During April Purdue University’s safety team found a file on computers used by Purdue University Pharmacy indicating that the appliances had been distantly logged onto by an illegal person. The file was installed on the appliances around September 1, 2017.

The computers contained a restricted amount of safeguarded health data including patients’ names, appointment information, diagnoses, internal identification numbers, identification numbers, times of service, birth dates, and amounts invoiced. No Social Security numbers or private financial information were saved on the computer that was retrieved.

A review into the data breach didn’t find any evidence to indicate any patient information was gotten and no reports have been received to indicate any patient data have been wrongly used. Nevertheless, as it was not possible to exclude illegal PHI access with a high level of confidence, patients have been warned of the breach.

During the inquiry, the safety team also found a malware infection on a computer utilized by Family Health Clinic of Carrol County in Delphi, IN. The malware was discovered on May 4. The analysis indicated it has been put on the computer on or around March 15, 2018.

The type of malware utilized in the attack was not announced, even though it is possible it allowed illegal people to gain access to PHI.

Data saved on the computer included patients’ names, health insurance numbers and some patients’ driver’s license particulars and Medicare numbers. Although data access might have occurred, no evidence was found to indicate any PHI was obtained or viewed in the attack, although as this could not be totally precluded patients have been warned. Patients whose driver’s license details and/or Medicare number was obtained have been provided free credit checking facilities for 12 months.

The breaches have led to Purdue University’s safety team to adopt additional safety controls and increase checking. The network will also be segmented and complete drive encryption will be adapted.

The formal breach report filed with the Department of Health and Human Services’ Office for Civil Rights (OCR) indicates that 1,711 people were impacted by these breach attacks.