Blackbaud Data Breach Healthcare Victim Count Rises to Almost 1 Million

The number of healthcare providers confirmed to have been affected by the Blackbaud ransomware attack and data breach is growing, with a further four healthcare providers issuing breach notifications in the past few days.

Yesterday we reported Northwestern Memorial HealthCare had been affected and the personal information of 55,983 individuals was compromised. Now the Department of Health and Human Services’ Office for Civil Rights breach portal shows 179,189 MultiCare Health System donors and potential donors have been affected, as have 52,500 donors to Spectrum Health Lakeland Foundation, and 22,718 donors to the Richard J. Caron Foundation.

Earlier this month, Northern Light Health Foundation confirmed that the information of 657,392 donors was compromised in the breach. Catholic Health and its foundations, the University of Detroit Mercy, and Children’s Hospital of Pittsburgh Foundation are also known to have been affected by the Blackbaud data breach.

The total number of healthcare organizations affected by the breach is still not known, nor the total number of individuals impacted by the breach, but the total is rapidly approaching 1 million.

Blackbaud is one of the largest providers of fundraising database and support services for health care organizations, educational institutions, and other non-profits worldwide. The company maintains records for more than 25,000 non-profit organizations.

The ransomware attack occurred on or around May 14, 2020; however, the attackers had initially gained access to its systems several months previously in February 2020. Blackbaud took action to limit the extent of the file encryption and contained the attack by May 20, 2020. Prior to the deployment of ransomware, the attackers were able to exfiltrate a subset of data from Blackbaud’s self-hosted environment, including the platform used by many healthcare organizations for engagement and fundraising.

Blackbaud’s cloud services are extensively used by healthcare organizations the world over, including 30 of the top 32 largest nonprofit hospitals, but the company said its public cloud environment was not affected and neither was the majority of its self-hosted environment.

In the most part the breach was limited to the names of donors, individuals who had attended fundraising events in the past, and community members with relationships with the affected healthcare organizations.

In addition to names, demographic information such as addresses, dates of birth, telephone numbers, and email addresses were compromised, and in some cases, donation dates, donation amounts and other donor profile information. For the majority of affected healthcare organizations, highly sensitive information such as bank account information, credit card information, and Social Security numbers were not affected.

Blackbaud issued a statement about the breach confirming the ransom demand was paid in order to obtain the keys to decrypt data and to prevent any malicious use of the data stolen in the attack.

Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly… We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident,” explained Blackbaud in its ransomware and data breach notification.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.