Published: October 23, 2020 on our newsletter Security Fraud News & Alerts Newsletter.
It’s usually only a matter of time before everyone’s Personal Identifying Information (PII) is somehow acquired in a data breach. We can only do so much to protect our data, but once it is provided to someone else, we lose control of what happens to it. Unfortunately, for many organizations who put their trust in Blackbaud, that time has come. Blackbaud is a vendor that many companies use to store important data, such as patient or donor information. The organization has informed many of its clients that some of the information left in its charge just may have been included in what was accessed in a data breach early in the year.
The number of people affected could be in the many hundreds of thousands. Many types of organizations use Blackbaud services, including healthcare organizations, educational institutions, and non-profit organizations. They claim no medical records or payment information were accessed, but there was no shortage of PII that was included. It was:
Dates of birth
Donor names and addresses
Doctor names and specialties
Admission and discharge dates
The locations of where medical services were performed
The intrusion occurred sometime between February 7 and May 20 of 2020, but the instance was not made public until late in July.
What does this mean for those affected? Well, of course put on your cyber smart caps and take a peek at those payment card statements and charges more often than you might normally. Even though Blackbaud claims that information was not disclosed, it’s still great practice to keep an eye out on those. Notify the financial institution of any oddities right away.
Also, make sure to review those benefit explanation statements that get sent by the insurance providers. Those have the information for which your account is being billed. If it isn’t correct, contact the insurer immediately. While laughter is the best medicine, healthcare fraud is certainly no laughing matter.
In addition, some organizations did store Social Security Numbers (SSN) with Blackbaud, though not all companies are reporting those were included. So, just to be on the safe side, check those credit reports regularly and report any abnormal entries to the credit bureaus. Right now, because many of us have been hit with financial hardship, everyone can request a credit report every single week through April of 2021. While it’s usually not necessary to check that often, more than once a year is recommended and in fact, at least every 4 months is best under normal circumstances. If you have been hit with financial hardship, more often is recommended. Be sure to go to annualcreditreport.com to do that. Not all websites will offer them for no charge or without a catch, but that particular site does.
If your organization uses Blackbaud services and have not been notified, maybe it’s a good time to a quick sanity check and give them a call to make sure you were not included in this incident.
How did the attackers get in, you might ask? Well, it was a ransomware attack that took advantage of a vulnerability that had not been patched. Blackbaud did not pay to have the data unencrypted, because, well the attack didn’t actually get that far. What did happen, is the attackers retrieved information on a backup database with the aforementioned data on it. Kudos are in order to Blackbaud for having those backups, but it’s really recommended to keep those out of internet access, so things like this don’t happen. What they did after the fact, is what they should have been on top of before, but perhaps were behind the curve: Patch vulnerabilities right away.
While Blackbaud didn’t pony up a ransom for encrypted data, it did pay something to the attackers for them to promise to destroy the information and though there is no proof it was destroyed, Blackbaud assures us that it was. Hmm.
Other great advice for patients, donors, students, and others that may have been affected includes to watch out for spearphishing--anyone may receive a detailed, specific email message with links, attachments, or requests for additional information. Don’t click on anything or fill out any forms that are not expected, are from unknown senders, or have typos, grammar mistakes, or just don’t seem safe. Contact the sender via separate email with an address you already know or find from a separate location if you are unsure. Text and a phone call also serve well here.
Just a few of the organizations affected in this include:
NorthShore University HealthSystem – 348,000 people
Inova Health System -- 1,045,270 people
St. Luke’s Health System – 360,000 people
Northern Light Health Foundation – 659,000 people
Vermont Student Assistance Corporation (VSAC)
University of London
University of York in England
Ambrose University in Canada
The Rhode Island School of Design
Human Rights Watch
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org