Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack

Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached.

On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients.

For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact information, and giving history and, for patients, also provider names, dates of service, and hospital departments where treatment was provided. Blackbaud said credit card information, bank account information, and Social Security numbers were not compromised.

Blackbaud agreed to pay the ransom demand and was provided with the keys to decrypt files encrypted in the attack and arrangements were made with the attackers to have the data stolen permanently deleted. Blackbaud is satisfied that all data stolen in the attack have been permanently deleted and were not further disclosed by the attackers. Blackbaud also confirmed that the vulnerability that was exploited by the attackers to gain access to its systems has now been fixed.

No evidence has been found that suggests there have been further disclosures of data stolen in the attack, Blackbaud has seen evidence indicating the data were deleted, and the firm is using a third-party to monitor the dark web to ensure that no copies are offered up for sale or are publicly disclosed.

U.S. Healthcare Organizations Affected by the Blackbaud Ransomware Attack

The HIPAA Breach Notification Rule allows a maximum of 60 days from the discovery of a data breach to issue notifications. Since notifications were issued to affected clients on July 16, 2020, there may still be some healthcare providers affected by the breach that have yet to report.

The list below is not comprehensive but includes entities that are known to have been affected by the breach, together with the number of individuals potentially affected, where known.

Breached Entity Individuals Affected
Inova Health System 1,045,270
Northern Light Health 657,392
Saint Luke’s Foundation 360,212
MultiCare Health System 179,189
University of Kentucky HealthCare 163,000
University of Florida Health 135,959
The Guthrie Clinic 92,064
Main Line Health 60,595
Aveanna Healthcare 166,000
Northwestern Memorial HealthCare 55,593
Spectrum Health 52,711
Richard J. Caron Foundation 22,718
SCL Health Unconfirmed
University of Detroit Mercy Unconfirmed
Children’s Hospital of Pittsburgh Foundation Unconfirmed
Atrium Health Unconfirmed
NorthShore University Health System Unconfirmed
Cancer Research Institute (NYC) Unconfirmed
Prostate Cancer Foundation. Unconfirmed
Total: 2,990,703

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.