Purdue University Pharmacy and the Family Health Clinic of Carroll County (“Purdue”) take seriously the confidentiality and security of our patients’ information. Regrettably, this notice is regarding a recent data security incident involving Purdue patients’ information.

On April 5, 2018, Purdue’s security team identified that an unauthorized remote access file was installed on certain pharmacy computers. Based on a forensic analysis, we believe that the file was placed on the computers on or about September 1, 2017. The analysis of the pharmacy computers revealed that one device contained prescription dispensing reports, which may have included patients’ names, Patient Identification Numbers, dates of birth, dates of service, and medication information. With regard to some patients, the reports also included Purdue identification numbers, diagnoses, treatment, and amounts billed and paid. Although the investigation found no evidence that these types of information on any pharmacy device were actually accessed or taken as a result of the incident, this possibility could not be entirely ruled out. The device did not contain any Social Security numbers or any personal financial information.

As we continued our investigation, on May 4, 2018, our security team identified that malware was installed on a Family Health Clinic of Carroll County computer used to scan health insurance cards. Based on a forensic analysis, we believe that the file was placed on the computer on or about March 15, 2018. The analysis of the computer revealed the information on the computer may have included patients’ names, health insurance information, and in some cases patients’ driver’s license numbers and Medicare numbers. Although the investigation found no evidence that this information on the computer was actually accessed or taken as a result of the incident, this possibility could not be entirely ruled out.

As a precaution, we are sending letters to patients on May 25, 2018. We have established a dedicated call center to answer any questions patients may have. For those patients whose driver’s license or Medicare numbers may have been included on the Family Health Clinic computer, we are offering one free year of credit monitoring and identity protection services. Patients should monitor their health bills and explanation of benefits (EOBs) statements for services that they did not receive. If a patient finds any irregularities in this regard, the patient should contact their health care provider or insurer immediately. If you believe you may have been affected but do not receive a letter by June 15, 2018, please call 1-855-804-8573, Monday through Friday, between 9 a.m. and 9 p.m. ET.

We regret this incident occurred and apologize for any inconvenience to our patients. We are implementing additional security measures in regard to the Purdue computer network in order to help prevent similar incidents, including full drive encryption, segmenting devices on the network, and enhanced monitoring.