Tally of Those Affected by Blackbaud Hack SoarsReports of Breaches, Including One Affecting 1 Million, Continue to Mount
The number of individuals affected by the May ransomware attack on cloud-based software vendor Blackbaud, which involved the theft of data, continues to soar. And breach reports tied to the incident now total over 170, according to one estimate.
Meanwhile, Blackbaud, which offers marketing, fundraising and customer relationship management software, faces a lawsuit that questions the company's move to pay off a hacker in return for a promise to delete data that was stolen (see: Class Action Lawsuit Questions Blackbaud's Hacker Payoff).
In the latest breach update, Virginia-based Inova Health System has reported that more than 1 million individuals it serves had their data exposed as a result of the Blackbaud incident, according to the Department of Health and Human Services' HIPAA Breach Reporting Tool.
The HHS Office for Civil Rights website - also commonly called the "wall of shame" - lists health data breaches affecting 500 or more individuals.
In its breach notification statement, Inova says it determined information stolen in the Blackbaud incident may have contained personal information of its patients and donors, including names, addresses, dates of birth, phone numbers, provider names, dates of service and philanthropic giving details.
Inova is among at least 20 healthcare organizations identified by Information Security Media Group as having issued breach notification statements tied to the Blackbaud ransomware incident. But as of Friday, nearly half of those breach reports were not yet posted on the HHS breach reporting website (see: Blackbaud Ransomware Victim Count Climbing).
Blackbaud Ransomware Attack Health Data Breaches, Update
|Breached Entity||Individuals Affected|
|Inova Health||1 million|
|Northern Light Health||657,000|
|Saint Luke's Foundation||360,000|
|MultiCare Health System||179,000|
|University of Florida Health||136,000|
|The Guthrie Clinic||92,000|
|Main Line Health||61,000|
|Northwestern Memorial HealthCare||56,000|
|Richard J. Caron Foundation||23,000|
|NorthShore University HealthSystem||N/A|
|SCL Health - St. Mary's||N/A|
|Boulder Community Health Foundation||N/A|
|Enloe Medical Center||N/A|
|University of Kentucky (UK) Healthcare||N/A|
|UT Health San Antonio||N/A|
|Riverside Health System||N/A|
The Blackbaud incident "is not just one breach, and therefore risk is compounded for everyone - breached entities, consumers, affected financial account providers such as banks, credit unions, or tax authorities - because it's a complex of breaches," says Jim Van Dyke, CEO of security services firm Breach Clarity, which has been tracking the Blackbaud fallout.
"The last count of publicly reported data breaches related to Blackbaud is 173 breaches - and it was 163 last week," he says. "Expect more. ... This is likely to be one of the biggest breaches of the year. And due to the complexity, the misinformation factor could exacerbate the damage. Both consumers and businesses will pay a price here."
Other Sectors Hit
The incident involving Blackbaud - a cloud-based fundraising database management vendor - also affected many of the company's clients outside the healthcare sector, including universities, nonprofits and others.
Among those affected are the joint fundraising arm of Valley City State University, the University of North Dakota, North Dakota State University, and Minot State University; the University of Bridgeport; the West Virginia University Foundation; and Emerson College in Boston.
Because the list of victims also includes organizations in Europe, Blackbaud must comply with the European Union's General Data Protection Regulation. Educational institutions in Europe that have been impacted include England's University of Manchester and the National University of Ireland in Galway.
Other institutions across the globe affected by the Blackbaud incident include Canada's University of Western Ontario and New Zealand's University of Auckland (see: Blackbaud's Bizarre Ransomware Attack Notification).
In a statement provided to Information Security Media Group on Friday, Blackbaud says: "Based on the nature of the incident, our research and third-party - including law enforcement - investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. [The attacker's] motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure."
The company declined to provide additional details about the incident, including the number of organizations and individuals affected. "We will not be commenting beyond the statement on our website," the company tells ISMG.
Blackbaud acknowledged earlier that it "discovered and stopped a ransomware attack" in May.
After discovering the incident, the company's security team, along with independent forensics experts and law enforcement, "successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system," Blackbaud said.
"Prior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment. The cybercriminal did not access credit card information, bank account information or Social Security numbers," the company said.
"Because protecting our customers' data is our top priority, we paid the cybercriminal's demand with confirmation that the copy they removed had been destroyed."
Customers who were affected by the incident were notified and supplied with additional information and resources, the company added.