PHI-Exposing Data Security Incidents Discovered by Purdue University

May 31, 2018 Patrick Kennedy HIPAA Updates Comments Off

Purdue University have been discovered two security breaches that may have lead to unauthorized people obtaining access to the protected health information of patients.

During April Purdue University’s security team identified a file on computers used by Purdue University Pharmacy showing that the devices had been remotely logged onto by an unauthorized person. The file was installed on the devices around September 1, 2017.

The computers included a restricted amount of protected health data including patients’ names, birth dates, timess of service, identification numbers, internal identification numbers, diagnoses, appointment information and amounts invoiced. No personal financial information or Social Security numbers were stored on the computer that was accessed.

A review into the data breach did not find any proof to suggest any patient information was obtained and no reports have been received to suggest any patient data have been improperly used. However, since it was not possible to eliminate unauthorized PHI access with a high degree of certainty, patients have been alerted of the breach.

During the investigation, the security team also identified a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was found on May 4. The review showed it has been placed on the computer on or around March 15, 2018.

The variety of malware used in the attack was not released, although it is possible it allowed unauthorized people to gain access to PHI.

Data stored on the computer incorporated patients’ names, health insurance numbers and some patients’ driver’s license details and Medicare numbers. While data access could have happened, no proof was found to suggest any PHI was viewed or obtained in the attack, although since this could not be completely ruled out patients have been alerted. Patients whose driver’s license details and/or Medicare number were obtained have been offered free credit monitoring services for 12 months.

The breaches have lead to Purdue University’s security team to adapt extra security controls and enhance monitoring. The network will also be segmented and full drive encryption will be adapted.

The official breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) shows that 1,711 people were affected by these breach attacks.

About Patrick Kennedy 619 Articles

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile: https://www.linkedin.com/in/pkkennedy/