HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Financial information and SSNs Potentially Accessed in Blackbaud Ransomware Attack

On Wednesday, Blackbaud filed a Form 8-K with the U.S. Securities and Exchange Commission (SEC) that provided further information on the ransomware attack the company suffered in May 2020. Blackbaud explained that the forensic investigation into the breach has revealed further information was potentially compromised in the breach. For certain customers, unencrypted fields that were intended for Social Security numbers, bank account information, and usernames and passwords may also have been accessed by the hackers.

Most of the customers affected by the breach did not have this additional information exposed, as the fields for sensitive information were encrypted and any data included in those fields would have been unreadable to the attackers. Blackbaud explained that any customers who may have had sensitive information exposed are being contacted and notified and additional support is being provided.

Blackbaud explained in the SEC filing that the company was able to prevent the attackers from fully encrypting certain files but confirmed that prior to encryption a subset of data was removed from Blackbaud’s private hosted cloud.

Blackbaud previously explained that the ransom demand had been paid to ensure that data stolen in the attack did not get sold or released publicly. Assurances were received that the stolen data had been deleted after the ransom demand was paid. There is no mention in the SEC filing about how much the company paid for the keys to decrypt files and to have the data deleted.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Blackbaud is confident that the data have not been released publicly or further disclosed; however, there is always a risk when paying cybercriminals that have just conducted an attack, stolen data, and encrypted files, that they may not be true to their word and could still have a copy of the stolen data. Blackbaud is taking precautions and has retained a cybersecurity company to monitor the dark web and hacking forums for any release of data stolen in the attack.

Blackbaud sent notifications about the breach on July 16 and HIPAA covered entities have 60 days to report the breach. Throughout August and September, the number of breaches listed on the HHS’ Office for Civil Rights breach portal has steadily grown. At least 58 healthcare organizations in the United States have publicly stated that they have been affected and more than 3 dozen breaches are currently listed on the OCR breach portal.

The worst affected entity so far is Trinity Health, which is listed as having had the protected health information of 3,320,726 individuals exposed in the breach. Inova Health System has reported a breach of 1,045,270 individuals’ PHI, and Northern Light Health says the PHI of 657,392 individuals was exposed. Many other healthcare providers have reported breaches affected hundreds of thousands of individuals. So far, the protected health information of almost 10 million individuals is known to have been exposed.

Blackbaud is working closely with security firms and law enforcement and investigations into the breach are continuing.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.