PHI-Exposing Data Security Incidents Discovered by Purdue University

Purdue University have been discovered two security breaches that may have lead to unauthorized people obtaining access to the protected health information of patients.

During April Purdue University’s security team identified a file on computers used by Purdue University Pharmacy showing that the devices had been remotely logged onto by an unauthorized person. The file was installed on the devices around September 1, 2017.

The computers included a restricted amount of protected health data including patients’ names, birth dates, timess of service, identification numbers, internal identification numbers, diagnoses, appointment information and amounts invoiced. No personal financial information or Social Security numbers were stored on the computer that was accessed.

A review into the data breach did not find any proof to suggest any patient information was obtained and no reports have been received to suggest any patient data have been improperly used. However, since it was not possible to eliminate unauthorized PHI access with a high degree of certainty, patients have been alerted of the breach.

During the investigation, the security team also identified a malware infection on a computer used by Family Health Clinic of Carrol County in Delphi, IN. The malware was found on May 4. The review showed it has been placed on the computer on or around March 15, 2018.

The variety of malware used in the attack was not released, although it is possible it allowed unauthorized people to gain access to PHI.

Data stored on the computer incorporated patients’ names, health insurance numbers and some patients’ driver’s license details and Medicare numbers. While data access could have happened, no proof was found to suggest any PHI was viewed or obtained in the attack, although since this could not be completely ruled out patients have been alerted. Patients whose driver’s license details and/or Medicare number were obtained have been offered free credit monitoring services for 12 months.

The breaches have lead to Purdue University’s security team to adapt extra security controls and enhance monitoring. The network will also be segmented and full drive encryption will be adapted.

The official breach report filed to the Department of Health and Human Services’ Office for Civil Rights (OCR) shows that 1,711 people were affected by these breach attacks.