Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

Tally of Those Affected by Blackbaud Hack Soars

Reports of Breaches, Including One Affecting 1 Million, Continue to Mount
Tally of Those Affected by Blackbaud Hack Soars

The number of individuals affected by the May ransomware attack on cloud-based software vendor Blackbaud, which involved the theft of data, continues to soar. And breach reports tied to the incident now total over 170, according to one estimate.

See Also: The Gorilla Guide to Modern Data Protection

Meanwhile, Blackbaud, which offers marketing, fundraising and customer relationship management software, faces a lawsuit that questions the company's move to pay off a hacker in return for a promise to delete data that was stolen (see: Class Action Lawsuit Questions Blackbaud's Hacker Payoff).

In the latest breach update, Virginia-based Inova Health System has reported that more than 1 million individuals it serves had their data exposed as a result of the Blackbaud incident, according to the Department of Health and Human Services’ HIPAA Breach Reporting Tool.

The HHS Office for Civil Rights website - also commonly called the “wall of shame” - lists health data breaches affecting 500 or more individuals.

In its breach notification statement, Inova says it determined information stolen in the Blackbaud incident may have contained personal information of its patients and donors, including names, addresses, dates of birth, phone numbers, provider names, dates of service and philanthropic giving details.

Inova is among at least 20 healthcare organizations identified by Information Security Media Group as having issued breach notification statements tied to the Blackbaud ransomware incident. But as of Friday, nearly half of those breach reports were not yet posted on the HHS breach reporting website (see: Blackbaud Ransomware Victim Count Climbing).

Blackbaud Ransomware Attack Health Data Breaches, Update

Breached Entity Individuals Affected
Inova Health 1 million
Northern Light Health 657,000
Saint Luke's Foundation 360,000
MultiCare Health System 179,000
University of Florida Health 136,000
The Guthrie Clinic 92,000
Main Line Health 61,000
Northwestern Memorial HealthCare 56,000
Spectrum Health 53,000
Richard J. Caron Foundation 23,000
Atrium Health N/A
NorthShore University HealthSystem N/A
SCL Health - St. Mary’s N/A
Catholic Health N/A
Boulder Community Health Foundation N/A
Enloe Medical Center N/A
University of Kentucky (UK) Healthcare N/A
UT Health San Antonio N/A
Riverside Health System N/A
Total: 2.66 Million
Sources: U.S. Dept. of Health and Human Services, breached healthcare entities

‘Complex Breach’

The Blackbaud incident “is not just one breach, and therefore risk is compounded for everyone - breached entities, consumers, affected financial account providers such as banks, credit unions, or tax authorities - because it’s a complex of breaches,” says Jim Van Dyke, CEO of security services firm Breach Clarity, which has been tracking the Blackbaud fallout.

“The last count of publicly reported data breaches related to Blackbaud is 173 breaches - and it was 163 last week,” he says. “Expect more. … This is likely to be one of the biggest breaches of the year. And due to the complexity, the misinformation factor could exacerbate the damage. Both consumers and businesses will pay a price here.”

Other Sectors Hit

The incident involving Blackbaud – a cloud-based fundraising database management vendor - also affected many of the company’s clients outside the healthcare sector, including universities, nonprofits and others.

Among those affected are the joint fundraising arm of Valley City State University, the University of North Dakota, North Dakota State University, and Minot State University; the University of Bridgeport; the West Virginia University Foundation; and Emerson College in Boston.

National Public Radio stations, the Vermont Food Bank and the Episcopal Relief & Development organization also were affected.

Global Reach

Because the list of victims also includes organizations in Europe, Blackbaud must comply with the European Union's General Data Protection Regulation. Educational institutions in Europe that have been impacted include England's University of Manchester and the National University of Ireland in Galway.

Other institutions across the globe affected by the Blackbaud incident include Canada's University of Western Ontario and New Zealand's University of Auckland (see: Blackbaud’s Bizarre Ransomware Attack Notification).

Blackbaud Statements

In a statement provided to Information Security Media Group on Friday, Blackbaud says: “Based on the nature of the incident, our research and third-party - including law enforcement - investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. [The attacker's] motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure.”

The company declined to provide additional details about the incident, including the number of organizations and individuals affected. “We will not be commenting beyond the statement on our website,” the company tells ISMG.

Blackbaud acknowledged earlier that it “discovered and stopped a ransomware attack” in May.

After discovering the incident, the company’s security team, along with independent forensics experts and law enforcement, “successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system,” Blackbaud said.

“Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information or Social Security numbers,” the company said.

“Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed.”

Customers who were affected by the incident were notified and supplied with additional information and resources, the company added.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.