Cyber Incident Victim: Purdue University Pharmacy
Date:
Sep 2017
Location:
United States of America
Summary
A security breach at Purdue University Pharmacy and its affiliated Family Health Clinic potentially compromised patient information, including names, identification numbers, dates of birth, medication details, diagnoses, treatment records, and billing amounts. Unauthorized access files and malware were discovered on compromised systems, which may have also exposed health insurance data, driver's license numbers, and Medicare identifiers in some cases. While investigations found no evidence of data access or exfiltration, the institution could not eliminate the possibility. Affected individuals were notified, with credit monitoring services offered to those potentially impacted by driver's license or Medicare exposures. The organization implemented enhanced security measures including full drive encryption, network segmentation, and improved monitoring protocols following the incidents.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2018, Purdue University’s security team discovered an unauthorized access file installed on computers at the Purdue University Pharmacy. The file had been placed on the systems on September 1, 2017. The investigation revealed that compromised information could include patient names, identification numbers, dates of birth, dates of service, and medication details. Purdue’s analysis found no evidence that the data was accessed or exfiltrated but could not eliminate the possibility entirely. The affected computer also stored Purdue identification numbers, diagnoses, treatment information, and billing amounts, though no Social Security numbers or personal financial data was present on the device. Separately, in May 2018, Purdue identified malware on a computer at the affiliated Family Health Clinic of Carroll County, which had been used to scan health insurance cards. This malware was installed on March 15, 2018, and potentially exposed patient names, health insurance details, and in some instances, driver’s license numbers and Medicare identifiers. As with the pharmacy incident, investigators found no proof of data access or theft but acknowledged the risk could not be discounted.
Purdue initiated notification letters to affected patients starting the week of May 30, 2018, with mailings dispatched on Friday of that week. The university established a dedicated call center to address patient inquiries and offered one year of complimentary credit monitoring and identity protection services to individuals whose driver’s license or Medicare numbers were potentially compromised. Patients were advised to scrutinize their healthcare bills and insurance statements for unauthorized services. Purdue implemented network security enhancements including full drive encryption, network segmentation, and intensified monitoring to prevent recurrence. The organization emphasized these measures were proactive safeguards despite lacking evidence of actual data misuse in either incident.