Cyber Incident Victim: Family Health Clinic of Carroll County
Date:
Mar 2017
Location:
United States of America
Summary
A cybersecurity incident at Purdue University Pharmacy and the Family Health Clinic of Carroll County involved unauthorized access files and malware compromising patient data. The pharmacy breach potentially exposed names, identification numbers, birth dates, medication details, diagnoses, treatment information, and billing amounts, while a related clinic's malware-infected computer scanning insurance cards risked names, health insurance data, and in some cases driver's license or Medicare numbers. No evidence confirmed data access or theft, but unauthorized access remained possible. Social Security and financial information were unaffected. The organization notified patients, established a dedicated call center, offered credit monitoring for those with exposed license or Medicare details, and implemented enhanced security measures including full drive encryption and network segmentation.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 4 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In April 2017, Purdue University’s security team identified an unauthorized access file installed on computers at Purdue University Pharmacy, with the file dated to September 1, 2017. The investigation revealed that patient names, identification numbers, dates of birth, medication details, dates of service, diagnoses, treatment information, and billing amounts were potentially exposed, though no evidence confirmed data exfiltration. Separately, in May 2017, Purdue discovered malware on a computer at the Family Health Clinic of Carroll County, a facility affiliated with its network. This computer, used specifically for scanning health insurance cards, had been compromised by malware installed on March 15, 2017. The affected system contained patient names, health insurance information, and in some instances, driver’s license numbers and Medicare identifiers. Purdue confirmed no Social Security numbers or financial data were stored on the Family Health Clinic’s compromised device. For both incidents, investigators found no proof that attackers accessed or extracted information but could not eliminate the possibility of unauthorized exposure.
Purdue initiated notification letters to affected patients on May 26, 2017, and established a dedicated call center to address inquiries. Individuals whose driver’s license or Medicare numbers were potentially exposed received offers for one year of complimentary credit monitoring and identity protection services. Patients were advised to scrutinize their healthcare bills and insurance statements for unauthorized services. Purdue implemented network-wide security enhancements following the breaches, including full drive encryption, network segmentation, and intensified monitoring protocols. These measures aimed to prevent recurrence, though the root cause of the initial malware installations remained unspecified in public disclosures. The university’s response emphasized containment through system hardening and patient support, without disclosing forensic details regarding the malware’s origin or operational impact beyond data accessibility risks.