Blackbaud was serving 35,000 nonprofit fundraising organizations, including many healthcare organizations, when it was infected with ransomware in 2020 and data — personally identifiable information and protected health information such as admission and discharge dates and physician names and specialties — was exfiltrated.
WHY IT’S IMPORTANT
In the multistate settlement over its data security practices and response to the breach, Blackbaud said it agreed to maintain data protection compliance and improve cybersecurity programs and not make “misleading statements regarding data protection, privacy, security, confidentiality.” Integrity, reporting obligations in the event of violations and the like.”
The company also noted in a statement on Thursday that it would make the payments from existing liquidity, which was reported as a contingent liability in its June financial statements.
THE BIGGER TREND
In March, Blackbaud settled with the U.S. Securities and Exchange Commission for $3 million to resolve federal allegations that the company made misleading statements about the 2020 ransomware attack that affected more than 13,000 customers and exposed the personal information of millions of Americans across the country.
According to Reuters reportThe SEC said Blackbaud’s disclosure shows the attacker did not access donors’ bank account information or Social Security numbers. The agency also said an August 2020 quarterly filing omitted key information about the extent of the attack.
In July 2020, the South Carolina-based provider notified NorthShore University HealthSystem in Chicago of this The breach exposed information for 348,000 of its patients. At this time, Blackbaud said there was no access to credit card, bank account information, social security numbers, or user credentials and passwords.
NorthShore reportedly investigated the matter further and discovered that while its medical records were not breached, the data on Blackbaud’s servers included admission and discharge dates, treatment locations and names of physicians.
Third-party providers like Blackbaud represent a major attack surface for the healthcare ecosystem, and several leaders are calling on the federal government to go on the offensive to protect the critical sector.
If they manage to hack a mission-critical vendor, they could gain access to PHI for hundreds of hospitals, said John Riggi, national cybersecurity and risk advisor at the American Hospital Association.
“The cyber adversaries have mapped our sector,” he said Healthcare IT News In December.
“They’ve figured out where the key strategic nodes are – those business-critical third parties that either have access to big data or have aggregated it themselves,” he said.
ON THE RECORD
“At Blackbaud, protecting the privacy of customers and their constituents has always been and continues to be one of our top priorities,” Mike Gianoni, the company’s president and CEO, said in a statement.
“Cyberattacks are constantly evolving, so we continually strengthen our cybersecurity and compliance programs to ensure our resilience to an ever-changing threat landscape,” he assured.
Andrea Fox is managing editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a publication of HIMSS Media.