Updated September 15, 2020
Imagine donating money to a beloved local hospital that cared for a grandparent or helped deliver your baby. But then your family’s private information was stolen from the fundraising database, exposing you and them to identity theft or fraud. This happened in 2020 to 2.66 million people from nineteen different health systems – the tally grows as the investigation continues.
Business Associates are Weak Link Targets
This is a classic case of a stealth breach through the back door of a business associate. No one suspected that a fundraising tool used by healthcare would be hacked and expose so many individuals’ private information. The hospitals were not hacked, but their business associate was.
Lots of nonprofit healthcare systems rely on fundraising and use a third-party vendor – a business associate – to help. Blackbaud, Inc. is a business associate providing cloud-based fundraising database management to healthcare organizations worldwide, including 30 of the top 32 largest nonprofit hospitals. Did the hospitals do the due diligence required to make sure Blackbaud was following HIPAA?
Blackbaud was hacked between February 7, 2020 and May 20, 2020. It appears that the cyberthief acquired a backup of the database which includes donor or patient information for whom donations were made, including names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. Then they were hit with ransomware in May.
A business associate as large as Blackbaud with hundreds of customers around the world contains a mother lode of valuable data, all in one place, which makes it a tempting target for cyberthieves. The situation is similar to the largest healthcare breach of 2019, which occurred at a business associate medical collections company, American Medical Collections Agency (AMCA), that serviced LabCorp, Quest and many other covered entities.
The following data is sourced from the the U.S. Department of Health and Human Services, and complied by databreachtoday.com in Tally of Those Affected by Blackbaud Hack Soars.
Blackbaud Ransomware Attack Health Data Breaches, Update
| Breached Entity | Individuals Affected |
|---|---|
| Inova Health | 1 million |
| Northern Light Health | 657,000 |
| Saint Luke’s Foundation | 360,000 |
| MultiCare Health System | 179,000 |
| University of Florida Health | 136,000 |
| The Guthrie Clinic | 92,000 |
| Main Line Health | 61,000 |
| Northwestern Memorial HealthCare | 56,000 |
| Spectrum Health | 53,000 |
| Richard J. Caron Foundation | 23,000 |
| Atrium Health | N/A |
| NorthShore University HealthSystem | N/A |
| SCL Health – St. Mary’s | N/A |
| Catholic Health | N/A |
| Boulder Community Health Foundation | N/A |
| Enloe Medical Center | N/A |
| University of Kentucky (UK) Healthcare | N/A |
| UT Health San Antonio | N/A |
| Riverside Health System | N/A |
| Total: | 2.66 Million |
Where is the PHI?
Several weeks ago we highlighted the risks of hidden protected health information (PHI). A hospital HIPAA compliance officer may not think to include the fundraising software used by a non-medical care department in its Risk Analysis, since it’s not directly connected to patient care. But this is a good example of the importance of thinking long and hard to uncover all the places where patient data is stored.
Whether you’re a covered entity or a business associate, if you need help thinking creatively about your Risk Analysis, what questions, whom to ask and where to look, get in touch with The HIPAA E-Tool®.