HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Blackbaud Ransomware Attack Impacts 657,392 Northern Light Health Foundation Donors

The Brewer, ME-based 10-hospital integrated healthcare system, Northern Light Health Foundation, has announced it has been affected by the recent ransomware attack on Blackbaud Inc.

The databases affected contained information about donors, potential donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 individuals.

South Carolina-based Blackbaud is one of the world’s largest providers of education, administration, fundraising, and financial management software. A company as large as Blackbaud is naturally a target for cybercriminals. Blackbaud explained it encounters millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks succeeded.

The ransomware attack could have been far worse. Blackbaud detected the ransomware attack quickly and took action to block the attack. Blackbaud was able to prevent the ransomware from fully encrypting its files, and only a subset of the company’s 25,000+ clients were affected. The attack did not affect its cloud environment and the majority of its self-hosted environment was unaffected.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

As is now common in manual ransomware attacks, prior to file encryption data was exfiltrated by the attackers. Blackbaud said in its breach notice that only a subset of data was copied by the attackers and highly sensitive information such as Social Security numbers, credit card information, and bank account information were not stolen in the attack.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly,” explained Blackbaud in its substitute breach notice.

It is currently unclear how many Blackbaud clients have been affected by the attack. Northern Light Health Foundation said it was one of thousands affected in its breach notice, including several other healthcare organizations in Maine. Other healthcare organizations known to have been affected include the New York City-based Cancer Research Institute and the Santa Monica, CA-based Prostate Cancer Foundation.

The BBC reports that at least 10 universities in the US, UK, and Canada have been affected, including Harvard University, Emerson College in Boston, and the Rhode Island School of Design, along with charities, media firms, and a host of private sector companies. While the attack occurred in May 2020, notifications were not sent to affected clients until July 16, 2020. It is unclear why there was such a long delay in alerting affected clients, especially considering many of those clients are located in the EU. The EU General Data Protection Regulation (GDPR) requires notifications to be sent to data protection authorities within 72 hours of a breach and data controllers to also be notified promptly.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.