In April, Purdue University’s security group identified two security breaches which likely granted unauthorized people access to the protected health information (PHI) of patients. A data file on Purdue Univesity Pharmacy’s computers suggests that an unauthorized individual had remote access to the devices in September 1, 2017.
There was just a limited volume of PHI in the computers. Data included the names of patients, dates of birth, ID numbers, internal ID numbers, dates of service, diagnoses, treatment information and invoiced amount. The computer had no Social Security numbers or personal financial data. Following the breach investigating, the team failed to discover any proof that reveals patient data was stolen. There was likewise no record that would suggest the fraudulent use of any patient information. Even so, patients still obtained notices concerning the breach since it’s not possible to be 100% sure that there wasn’t any unauthorized access of PHI.
The security group inspected the computers of Family Health Clinic of Carrol County in Delphi, IN and likewise discovered malware infection on May 4. However investigation revealed that the malware had been installed on March 15, 2018. It was not revealed which kind of malware was installed however without a doubt it granted PHI access to unauthorized individuals.
The computer kept data regarding patients’ names and medical insurance numbers. Additionally, it stored the driver’s license numbers and Medicare numbers of a number of patients. Although unauthorized people can possibly view the information, there was no hint that PHI was accessed or stolen by attackers. The patients also received notification regarding the information of the attack. The folks whose Medicare number and driver’s license numbers were compromised likewise got offers of complimentary one year credit monitoring services.
As a result of the breaches, Purdue University’s security group integrated more security controls and improved monitoring. They also enforced full drive encryption and network segmentation. Purdue University reported the breach incident to the Department of Health and Human Services’ Office for Civil Rights. The breach affected around 1,711 patients.