Inova Health System Says 1.05 Million Individuals Impacted by Blackbaud Ransomware Attack
Falls Church, VA-based Inova Health System is one of the latest healthcare providers to confirm that it has been affected by the ransomware attack on Blackbaud. A backup of its donor database contained the information of 1,045,270 donors, patients, and prospective donors, which takes the total number of healthcare victims in the United States past 2.99 million. That total is also likely to grow as the deadline for reporting the breach to the HHS has not yet been reached.
On July 16, 2020, Blackbaud issued notifications to its clients that it had suffered a ransomware attack. Unauthorized individuals gained access to its systems on February 7, 2020, with access possible until May 20, 2020 when the attack was detected when ransomware was deployed. Prior to the deployment of ransomware, certain data were exfiltrated from Blackbaud’s servers. While not all clients were affected, the attackers were able to obtain backups of fundraising databases of many of the firm’s clients.
For most organizations, the breached data were limited to donor names, addresses, dates of birth, contact information, and giving history and, for patients, also provider names, dates of service, and hospital departments where treatment was provided. Blackbaud said credit card information, bank account information, and Social Security numbers were not compromised.
Blackbaud agreed to pay the ransom demand and was provided with the keys to decrypt files encrypted in the attack and arrangements were made with the attackers to have the data stolen permanently deleted. Blackbaud is satisfied that all data stolen in the attack have been permanently deleted and were not further disclosed by the attackers. Blackbaud also confirmed that the vulnerability that was exploited by the attackers to gain access to its systems has now been fixed.
No evidence has been found that suggests there have been further disclosures of data stolen in the attack, Blackbaud has seen evidence indicating the data were deleted, and the firm is using a third-party to monitor the dark web to ensure that no copies are offered up for sale or are publicly disclosed.
U.S. Healthcare Organizations Affected by the Blackbaud Ransomware Attack
The HIPAA Breach Notification Rule allows a maximum of 60 days from the discovery of a data breach to issue notifications. Since notifications were issued to affected clients on July 16, 2020, there may still be some healthcare providers affected by the breach that have yet to report.
The list below is not comprehensive but includes entities that are known to have been affected by the breach, together with the number of individuals potentially affected, where known.
|Breached Entity||Individuals Affected|
|Inova Health System||1,045,270|
|Northern Light Health||657,392|
|Saint Luke’s Foundation||360,212|
|MultiCare Health System||179,189|
|University of Kentucky HealthCare||163,000|
|University of Florida Health||135,959|
|The Guthrie Clinic||92,064|
|Main Line Health||60,595|
|Northwestern Memorial HealthCare||55,593|
|Richard J. Caron Foundation||22,718|
|University of Detroit Mercy||Unconfirmed|
|Children’s Hospital of Pittsburgh Foundation||Unconfirmed|
|NorthShore University Health System||Unconfirmed|
|Cancer Research Institute (NYC)||Unconfirmed|
|Prostate Cancer Foundation.||Unconfirmed|