Purdue University Discloses Data Safety Incidents that Possibly Undermined PHI

June 2, 2018


Two safety breaches have been found by Purdue University’s safety team that have possibly led to illegal people gaining access to the PHI of patients.

In April, Purdue University’s safety group found a file on computers used by Purdue University Pharmacy showing the appliances had been distantly retrieved by an illegal person. The file was placed on the appliances around September 1, 2017.

The computers had a limited amount of PHI including patients’ names, treatment information, diagnoses, internal identification numbers, identification numbers, dates of service, dates of birth, and amounts billed. No private financial information or Social Security numbers were saved on the computer.

An inquiry into the breach didn’t disclose any proof to indicate any patient information was stolen and no accounts have been received to indicate any patient data have been abused. Nevertheless, since it was not possible to exclude illegal PHI access with a high level of confidence, patients have been alerted to the breach.

During the course of the inquiry, the safety group also found a malware infection on a computer utilized by Family Health Clinic of Carrol County in Delphi, IN. The malware was detected on May 4. The investigation revealed it has been installed on the computer on or around March 15, 2018.

The kind of malware utilized in the attack was not revealed, even though it is possible it permitted illegal individuals to gain access to PHI.

Information saved on the computer included patients’ names, health insurance numbers, and some patients’ driver’s license numbers as well as Medicare numbers. Although data access was possible, no proof was uncovered to indicate any PHI was stolen or viewed in the attack, although as this might not be completely ruled out, patients have been informed. Patients whose driver’s license number and/or Medicare number were revealed have been offered free credit checking facilities for a year.

The breaches have prompted Purdue University’s safety group to apply additional safety controls and increase checking. The network will also be segmented and complete drive encryption will be applied.

The breach report presented to the Department of Health and Human Services’ OCR shows 1,711 people were impacted by these occurrences.