Those of us who frequently check state attorneys general sites are well aware that there are still many consumers and patients who are first being notified of the Blackbaud ransomware incident last year.
Ronald McDonald House is well-known in the U.S., for offering housing accommodations to families who have children being treated for serious illnesses. As it says on their site: “A Ronald McDonald House program helps reduces stress and financial burden for families when they must travel far from home to access medical care for their child…. Research shows that patients whose families stayed at the Ronald McDonald House are the sickest, traveled the farthest distances, and spent the longest time in the hospital.”
RMDH learned that a backup of a database that they previously used for managing guest services had been involved in the Blackbaud incident. The personal information in the database included name and one or more of the following: driver’s license or state ID number, passport number, and/or other government issued identification number. They claim that they discovered the breach on December 1, and letters started being sent on January 14.
RMDH is notifying 17,373 guests of this breach. They are offering a complimentary one-year membership of Experian’s IdentityWorksSM Credit 3B product.
While Blackbaud addressed the breach from their end, RMHD notes that it no longer uses Blackbaud to manage its guest services and is also reviewing how information is stored with third-party vendors, including Blackbaud.
And that is something that all entities should be doing — regardless of whether they were impacted by the Blackbaud incident or not — how much personally identifiable information have you entrusted to third parties? Do you really know that they have secured it properly? Do you really still need to have them store that data for you or can it be taken offline by now?