PHI-Exposing Data Safety Occurrences Found by Purdue University

June 2, 2018


Purdue University has found two safety breaches that might have led to illegal people getting access to the PHI of patients.

During April Purdue University’s safety team recognized a file on computers used by Purdue University Pharmacy indicating that the appliances had been distantly logged on by an illegal person. The file was fitted on the appliances around September 1, 2017.

The computers contained a limited amount of safeguarded health data including patients’ names, diagnoses, internal identification numbers, identification numbers, and times of service, birth dates, appointment information and amounts billed. No Social Security numbers or personal financial information were stored on the computer that was retrieved.

A reexamination into the data breach didn’t find any evidence to indicate any patient information was gotten and no reports have been taken to indicate any patient data have been wrongly used. Nevertheless, as it was impossible to get rid of illegal PHI access with a high level of confidence, patients have been warned of the breach.

During the inquiry, the safety team also found a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was noticed on May 4. The review indicated it has been placed on the computer on or around March 15, 2018.

The type of malware used in the attack was not released, even though it is possible it permitted illegal people to gain access to PHI.

Data stored on the computer contained patients’ names, health insurance numbers and a few patients’ driver’s license details and Medicare numbers. Although data access might have occurred, no evidence was found to indicate any PHI was seen or obtained in the attack, even though since this might not be totally ruled out, patients have been warned. Patients whose driver’s license details and/or Medicare number were gotten have been offered free credit checking facilities for 12 months.

The breaches have led to Purdue University’s safety team to get used to extra safety controls and increase checking. The network will also be segmented and complete drive encryption will be adapted.

The formal breach report filed with the Division of Health and Human Services’ Office for Civil Rights (OCR) indicates that 1,711 people were impacted by these breach attacks.