Two breaches at Purdue University affect more than 1,700 patients

Register now

Purdue University Pharmacy found an unauthorized remote access file had been installed on pharmacy systems, putting some patient data at risk.

A subsequent forensics investigation found the file, which was discovered on in Indiana on April 5, had been in place since September 2017.

As the investigation moved into May, the security team found malware also had been installed on a computer used to scan health insurance cards at the affiliated Family Health Clinic of Carroll County, a group practice, around mid-March. In all, 1,711 patients were affected.

The Purdue breach potentially compromised protected health information that included patient names, patient identification numbers, diagnoses, treatments, and amounts billed and paid.

Analysis of the infected computer at Family Health Clinic of Carroll County found at-risk data could have included patient names, health insurance information, driver’s license numbers and Medicare numbers.

Also See: Two-year-old malware discovered at LifeBridge Health

In both breaches, no evidence was found that that data was actually accessed or taken, but the possibility could not be ruled out, according to a notification letter sent to patients. Consequently, 78 patients with drivers’ license numbers at risk and another 34 patients with Medicare numbers at risk on the Family Health Clinic computer have been offered one year of credit monitoring and identity protection services from Experian.

All patients are being advised to monitor healthcare bills and explanation of benefits statements for services not received and to contact providers or insurers if irregularities are found.

“We regret this incident occurred and apologize for any inconvenience to our patients,” the university told affected individuals. “We are implementing additional security measures in regard to the Purdue computer network to help prevent similar incidents, including full drive encryption, segmenting devices on the network and enhanced monitoring."

In response to further inquiries about the data exposure, Purdue University Pharmacy declined to provide additional details about the incident.

For reprint and licensing requests for this article, click here.