Eight of the 10 largest healthcare knowledge breaches reported to the federal authorities final month stemmed from a ransomware assault at a third-party software program vendor, Blackbaud.
The 2 knowledge breaches that weren’t tied to the cyberattack at Blackbaud—on the Baton Rouge (La.) Clinic and College of Missouri Well being Care—each concerned hackers.
Dozens of healthcare organizations, academic establishments and different not-for-profits within the U.S. and overseas have been affected by the cyberattack at Blackbaud, an organization that sells software program to not-for-profits to handle fundraising, advertising and marketing and different operations.
Practically 80 organizations that work with well being knowledge had info compromised within the Blackbaud knowledge breach, in accordance with a report compiled by DataBreaches.web, affecting knowledge on a collective 5.5 million folks thus far. The report included any group that may accumulate well being knowledge from donors; it isn’t restricted to HIPAA-covered entities.
At Livonia, Mich.-based Trinity Well being, greater than three.three million sufferers could have had private and guarded well being info compromised within the Blackbaud knowledge breach.
Blackbaud in July notified Trinity Well being in regards to the cyberattack, which affected knowledge held in some donor database back-up information maintained by the corporate.
That probably uncovered affected person info together with demographic knowledge like names, addresses, dates of delivery and ages, in addition to such medical knowledge as inpatient-outpatient standing, dates of service, hospital location, doctor title, discharge standing, title of insurance coverage and division of service, in accordance with a discover Trinity Well being posted on-line.
“After a affected person receives care at a Trinity Well being ministry, our philanthropy groups attain out with the chance to precise gratitude in honor of their care groups,” the system wrote in an replace on its web site, noting knowledge like date of final service helps to make sure sufferers aren’t contacted too quickly after care and doctor names are used if a affected person desires to ship a thanks notice.
Info within the database spans 2000 to 2020.
Hospitals have different in what knowledge was held in Blackbaud’s programs.
“It is common for foundations to solicit sufferers for donations,” stated Drex DeFord, healthcare government strategist at cybersecurity consulting agency CI Safety and former well being system chief info officer. However how a lot info is collected “particular to the affected person and their illness, the place they have been handled, and who the medical doctors have been, I feel in all probability varies extensively.”
It is a significantly dangerous time for a breach of fundraising programs, he stated, since hospitals have misplaced income amid COVID-19.
“Healthcare organizations (and) not-for-profits depend on donors now greater than ever,” DeFord stated. “That is precisely the fallacious time to see a donor database compromised and people donors then beginning to second guess whether or not or not they need to give cash.”
Upon discovering the ransomware assault in Might, Blackbaud stated its safety staff was in a position to block the cybercriminals from absolutely encrypting information and eliminated them from the corporate’s info programs; nevertheless, earlier than that time, the cybercriminals had already taken a duplicate of among the firm’s knowledge.
Blackbaud paid a ransom demand to the cybercriminals, who in alternate destroyed the information copy, in accordance with a discover describing the incident that Blackbaud posted on-line.
Paying a hacker’s ransom demand is discouraged by cybersecurity consultants, together with the Federal Bureau of Investigation, who say the apply can allow future prison exercise.
The federal authorities in early October took one other step to attempt to cease organizations from paying ransoms, with the Treasury Division issuing an advisory that corporations that facilitate ransomware funds—resembling cyber insurance coverage companies and incident response teams—may face fines for violating laws from the division’s Workplace of International Belongings Management.
As of Wednesday, HHS’ Workplace for Civil Rights posted 82 knowledge breach studies that healthcare suppliers, insurers and their enterprise associates had submitted to the company in September. That is the best variety of knowledge breaches reported in a single month since OCR started monitoring healthcare knowledge breaches in 2010.
In complete, the 82 knowledge breaches reported in September compromised knowledge on a collective 9.2 million sufferers.
July 2019, which held the earlier file for knowledge breaches reported in a single month, encompassed 59 knowledge breaches that uncovered knowledge on 26.7 million sufferers.