Ugh. I’ve been so busy adding Blackbaud incident-related reports to my worksheets that I maintain for my research with Protenus for Breach Barometer that I forgot to post some incidents here. Thankfully, a kind reader gave me a gentle poke to let you know that Lisa Schenker reported that NorthShore University HealthSystem is notifying approximately 348,000 patients whose protected health information (PHI) was involved in the Blackbaud incident.
Regular readers will remember that Blackbaud paid the attackers’ ransom demand with the understanding that the threat actors would destroy their copy of exfiltrated data.
Read more about NorthShore’s part of the incident on Chicago Tribune.
And for those who are curious: we are still first learning about entities who had PHI involved in the Blackbaud breach, and we do not have numbers for all of the ones we do know about. But as of today, I’ve tabulated 3,148,492 patients who had PHI involved. I have no doubt that there will be many more.
And because this has been a brutal year for me trying to keep up, let me give you a sense of what’s been going on:
In June, I entered 83 incidents in my worksheets. In July, I entered more than 50 incidents on my worksheet for the month, but that number is not the final number for the month. In August, I entered 73 incidents, and more are still coming in. And so far for September, it continues to be about 2 per day.
I still remember when we first hit about 1 per day.
Keep in mind that unlike other sites who rely solely on HHS’s public breach tool, DataBreaches.net and Protenus use multiple sources so that our numbers go beyond just HIPAA-covered entities to include other types of organizations that collect, store, or process health or medical data.
So how is YOUR year going?