Sarasota, FL (WorkersCompensation.com) – A security breach earlier this year at cloud software company Blackbaud, has impacted over 25,000 nonprofit organizations all over the world, including several healthcare systems. The company paid the ransom to have the stolen data destroyed, however the breach impacted information of at least 2 million individuals from 11 healthcare systems.
On May 14th, the company discovered and stopped the ransomware attack on their local non-cloud server. According to a report from The Non Profit times, the attack was initiated by a suspicious login on an internal server. Because the access was through a data center, the cloud operation was not breached. However, the criminals were able to access a subset of data from the company’s self-hosted environment. Because of the nature of the login, the breach appeared like a regular customer service access. The company’s investigations tracked the incident back to February 7th. The criminals expanded their access through the server until June 3rd. The cybercriminals contacted Blackbaud with a bitcoin ransom demand and provided proof that the stolen data had been destroyed once the ransom was released.
Blackbaud states that no banking information nor Social Security numbers were accessed. However, according to a release from Atrium Health in North Carolina, patient names and contact information, as well as demographic information such as date of birth, guarantor information, and treatment information may have been accessed. According to the report filed on the HHS Data Breach website, a total of 165,000 patient records were included in the breach.
Northern Light Health of Maine was one of the healthcare systems that was also impacted by the breach. According to the HHS Data Breach reports, 657,392 patient records were impacted.
Saint Luke’s Health System in Missouri reported their breach on August 20th. The number of patient records involved totaled 360,212.
Multicare Health System of Washington reported their breach on August 22nd. The HHS Data Breach report shows a total of 179,189 patient records included in their report.
Northshore University Health System of Illinois, Catholic Health system in New York, and UK Health system in Kentucky all issued statements regarding the data breach but stated that no patient information was included.
Within a one week period last month alone, there have been at least 10 data breaches reported to HHS.