Getty Images/iStockphoto

1M Inova Health Individuals Added to Blackbaud Breach Victim Tally

Over 1 million individuals from Inova Health and several other providers were added to the Blackbaud breach victim tally; an email hack, and a cyberattack complete this week’s breach roundup.

The Blackbaud breach victim tally has climbed to nearly 3 million healthcare-connected entities and other nonprofits. In the last week, Inova Health System reported more than 1 million individuals were affected by the incident, as well as several other healthcare provider organizations. 

Blackbaud, a cloud computing vendor for a range of nonprofits, foundations, corporations, education institutions, healthcare entities, and change agents, reported that its self-hosted environment was hit with a ransomware attack on May 14

The cyberattack was stopped six days later, but the incident lasted between February 7 and May 20, 2020. The hackers stole a subset of data during the attack before Blackbaud was able to shut the attackers out of the system. And officials said they paid the ransom “with confirmation that the copy they removed had been destroyed.” 

In mid-August, Northern Light Health Foundation in Maine became one of the first reported victims in healthcare with about 657,392 donors, potential donors, and patients who supported the foundation affected by the breach. 

During the first week of September, at least six more healthcare entities had been added to the Blackbaud victim tally: Saint Luke’s Foundation (360,212), MultiCare Foundation (300,000 total individuals, of which 179,189 are patients), Spectrum Health (52,711), Northwestern Memorial HealthCare (55,983), and Main Line Health (60,595). 

Inova Health System in Virginia has since been added to the tally with 1.05 million affected individuals, making it the hardest hit healthcare entity, thus far. Officials said Blackbaud notified Inova about the incident in July and launched its own investigation with assistance from a third-party cybersecurity firm. 

On August 10, the investigation determined the data exfiltrated by the hackers contained  the personal information of some patients and donors, including names, contact details, dates of birth, provider names, dates of service, department visited, and or the philanthropic giving history, such as the dates and amounts. 

Social Security numbers, financial accounts, and payment information were not taken during the attack. 

California-based Enloe Medical Center was also affected by the Blackbaud incident. Officials said they launched an independent organization and found the hacker obtained patient names, contact information, medical treatment discharge dates, and departments visited. Some patient dates of birth, phone numbers, and or email addresses were also compromised during the attack. 

The number of impacted patients has not yet been posted on the Department of Health and Human Services breach reporting tool. 

The Blackbaud breach also claimed the data of about 93,000 patients from Roper St. Francis Healthcare, including patient names, ages, genders, dates of birth, contact details, departments of service, and provider names. 

The data of about 348,000 patients of NorthShore University Health System in Illinois was compromised in the attack, as well, and limited to names, dates of birth, and some clinical information. 

About 163,000 donors, who were previous patients, to the University of Kentucky HealthCare were also affected by the Blackbaud incident, which included names, contact information, medical record numbers, service department, provider names, admission dates, and dates of birth. 

The Guthrie Clinic, a member of the Mayo Clinic Care Network, was also affected by the Blackbaud incident, which compromised the data of 92,064 patients. The data included names, contact details, age, gender, dates of treatment, departments of service, treating providers, and health insurance status. 

The clinic is currently examining its vendor relationship with Blackbaud and evaluating their security safeguards. 

Lastly, about 165,000 Atrium Health patients were affected by the Blackbaud incident. The exfiltrated data included names, contact details, demographic information, patient IDs, dates of treatment, locations of service, and treating physician names. 

And if the patient donated to the provider, the date and amount of donation may also have been included in the breached data. 

With the added victims, the Blackbaud ransomware attack is by far the largest healthcare data breach of 2020. Notably, last year’s largest breach was also vendor-related and had a rippling effect across healthcare. The American Medical Collection Agency breach impacted more than 25 million patients from dozens of providers. 

Roper St. Francis Healthcare Reports Email Hack 

Just five days prior to notifying patients about the Blackbaud cyberattack, Roper St. Francis reported an email hack to its patients. 

A hacker gained access to an employee email account between June 13 and June 17, which was not discovered until a few weeks later on July 8. Upon discovery, the account was secured and an investigation was launched with help from a leading forensic security firm. 

The investigation determined patient information, including names, dates of birth, medical record or patient account numbers, and limited clinical and or treatment information was potentially viewed by the attacker. 

A limited number of patients saw their health insurance and or Social Security numbers compromised. Only patients whose data was contained in the breached email account were impacted by the hack. 

This is the second email-related breach reported by Roper St. Francis in less than two years. Thirteen employees fell victim to a November 2018 phishing campaign, which compromised the data of about 32,178 patients.

Cyberattack on Baton Rouge Clinic Impacts 308K Patients 

The Baton Rouge Clinic recently notified 308,000 patients that their data was potentially breached after a cyberattack on its electronic database. 

Discovered on July 8, officials said hackers attempted to breach the clinic’s email system and some electronic patient-related records. An outside technology team was hired to investigate the incident and eliminate the attack, which resulted in the encryption of some files and rendering them inaccessible to the clinic. 

According to the notice, the hackers exfiltrated some data during the cyberattack. But officials did not disclose just what data was breached during the incident, or if the attack was ransomware. 

"The attack was resolved and access to the electronic files returned,” officials said in a statement. “The attacker confirmed that none of the files were used or disclosed to anyone and any files taken were destroyed.” 

The Baton Rouge Clinic has since installed additional safeguards and provided employees with added security training to prevent an attack recurrence. An outside cybersecurity firm was retained to monitor the clinic’s technology infrastructure.

Next Steps

Dig Deeper on Healthcare data breaches