Inova Health System in Falls Church, VA is one of the healthcare companies that lately confirmed the impact of the Blackbaud ransomware attack on its company. The information contained in a backup donor database included that of 1,045,270 donors, prospective donors and patients. Hence, there are now a total of over 2.99 million healthcare victims in the US. That number is also very likely to increase as the due date for submitting breach reports to the HHS has not yet come.
On July 16, 2020, Blackbaud notified its clients about experiencing a ransomware attack. Unauthorized persons acquired access to its systems on February 7, 2020, up to May 20, 2020 when Blackbaud discovered the attack and the ransomware deployment. Before the ransomware was deployed, the attackers exfiltrated certain data from the servers of Blackbaud. Although not all clients were impacted, the attackers had obtained copies of the fundraising databases of a lot of the company’s clients.
For the majority of companies, the breached information only included donor names, birth dates, addresses, contact data, and donation records. For affected patients, the provider names, hospital sections where treatment was given and dates of service were also compromised. Blackbaud stated there was no credit card data, bank account details, and Social Security numbers compromised.
Blackbaud decided to pay the attackers’ ransom demand and got the keys to decrypt the encrypted files. The attackers also deleted the stolen data permanently. Blackbaud is happy that the attackers made no further disclosure of any stolen data. Blackbaud additionally confirmed having fixed the vulnerability that the attackers exploited to access its systems.
There is no evidence found that indicates further disclosures of stolen data. Blackbaud has found evidence showing the deleted data, and the company is hiring a third-party to keep track of the dark web to make sure there will be no copies made available for sale or publicly exposed.
List of U.S. Healthcare Companies Impacted by the Blackbaud Ransomware Attack
The HIPAA Breach Notification Rule permits up to 60 days from the date of data breach discovery to send notifications. Because Blackbaud issued notifications to impacted clients on July 16, 2020, a number of healthcare providers impacted by the breach may still submit a report.
The following list of affected healthcare providers is not complete but consists of entities that were impacted by the breach, along with the number of people potentially affected.
1. Inova Health System – 1,045,270 affected persons
2. Northern Light Health – 657,392 affected persons
3. Saint Luke’s Foundation – 360,212 affected persons
4. MultiCare Health System – 179,189 affected persons
5. University of Kentucky HealthCare – 163,000 affected persons
6. University of Florida Health – 135,959 affected persons
7. The Guthrie Clinic – 92,064 affected persons
8. Main Line Health – 60,595 affected persons
9. Aveanna Healthcare – 166,000 affected persons
10. Northwestern Memorial HealthCare – 55,593 affected persons
11. Spectrum Health – 52,711 affected persons
12. Richard J. Caron Foundation – 22,718 affected persons
13. SCL Health – Unconfirmed
14. Children’s Hospital of Pittsburgh Foundation – Unconfirmed
15. University of Detroit Mercy- Unconfirmed
16. Atrium Health – Unconfirmed
17. Cancer Research Institute (NYC) – Unconfirmed
18. NorthShore University Health System – Unconfirmed
19. Prostate Cancer Foundation – Unconfirmed
Total number of affected persons: 2,990,703