HIPAA Horror Stories

Bamboozled and Breached

one-minute read

Updated September 15, 2020

Imagine donating money to a beloved local hospital that cared for a grandparent or helped deliver your baby. But then your family’s private information was stolen from the fundraising database, exposing you and them to identity theft or fraud. This happened in 2020 to 2.66 million people from nineteen different health systems – the tally grows as the investigation continues.

Business Associates are Weak Link Targets

This is a classic case of a stealth breach through the back door of a business associate. No one suspected that a fundraising tool used by healthcare would be hacked and expose so many individuals’ private information. The hospitals were not hacked, but their business associate was.

Lots of nonprofit healthcare systems rely on fundraising and use a third-party vendor – a business associate – to help. Blackbaud, Inc. is a business associate providing cloud-based fundraising database management to healthcare organizations worldwide, including 30 of the top 32 largest nonprofit hospitals. Did the hospitals do the due diligence required to make sure Blackbaud was following HIPAA?

Blackbaud was hacked between February 7, 2020 and May 20, 2020. It appears that the cyberthief acquired a backup of the database which includes donor or patient information for whom donations were made, including names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information. Then they were hit with ransomware in May.

A business associate as large as Blackbaud with hundreds of customers around the world contains a mother lode of valuable data, all in one place, which makes it a tempting target for cyberthieves. The situation is similar to the largest healthcare breach of 2019, which occurred at a business associate medical collections company, American Medical Collections Agency (AMCA), that serviced LabCorp, Quest and many other covered entities.

The following data is sourced from the the U.S. Department of Health and Human Services, and complied by databreachtoday.com in Tally of Those Affected by Blackbaud Hack Soars.

Blackbaud Ransomware Attack Health Data Breaches, Update

Breached Entity Individuals Affected
Inova Health 1 million
Northern Light Health 657,000
Saint Luke’s Foundation 360,000
MultiCare Health System 179,000
University of Florida Health 136,000
The Guthrie Clinic 92,000
Main Line Health 61,000
Northwestern Memorial HealthCare 56,000
Spectrum Health 53,000
Richard J. Caron Foundation 23,000
Atrium Health N/A
NorthShore University HealthSystem N/A
SCL Health – St. Mary’s N/A
Catholic Health N/A
Boulder Community Health Foundation N/A
Enloe Medical Center N/A
University of Kentucky (UK) Healthcare N/A
UT Health San Antonio N/A
Riverside Health System N/A
Total: 2.66 Million

Where is the PHI?

Several weeks ago we highlighted the risks of hidden protected health information (PHI). A hospital HIPAA compliance officer may not think to include the fundraising software used by a non-medical care department in its Risk Analysis, since it’s not directly connected to patient care. But this is a good example of the importance of thinking long and hard to uncover all the places where patient data is stored.

Whether you’re a covered entity or a business associate, if you need help thinking creatively about your Risk Analysis, what questions, whom to ask and where to look, get in touch with The HIPAA E-Tool®.

Photo by Tim Bish on Unsplash

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms & Conditions | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

8820 Ladue Road Suite 200
St. Louis, MO 63124