Earlier this week, Marianne Kolbasuk McGee had a follow-up piece on the Blackbaud ransomware incident. As part of her update, she reported that Blackbaud would not provide answers when asked about the number or names of clients involved in the incident who had patient data or medical information of donors involved. McGee notes:
A snapshot on Tuesday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – along with notification statements issued by the breached entities – shows that at least four dozen healthcare sector organizations were affected by the Blackbaud hacking incident.
DataBreaches.net can provide more information on this issue as it has been tracking this since August, looking at Blackbaud clients whose patients were impacted or whose donors revealed some medically related information that was stored on Blackbaud’s systems.
On September 13, DataBreaches.net issued its first interim report on the breach. On September 24, this site issued its second interim report. Since that time, this site has continued to research and compile relevant reports. Note that the numbers reported below are not final numbers. Although many of Blackbaud’s clients were notified on July 16, many report that they could not get needed information from Blackbaud quickly, which delayed their notifications. In some cases, entities had to revise notifications after Blackbaud revised its own statement about what was involved in the incident. And yet in other cases, we are seeing entities report that Blackbaud first notified them in September. We are still seeing new notifications in November.
As pointed out in our first reports, we note that not all entities in DataBreaches.net’s report are HIPAA-covered entities. Non-profit support organizations that seek donations often collect information on donors such as the donor’s own diagnoses or experience with a particular disorder. In some cases, donations may be made in honor of a named patient or may mention a physician or service provided. Many of these organizations are not covered by HIPAA, so we will not see entries on HHS’s public breach tool. They are included in this report, however.
Today’s updated report is based on 105 entries. For each entity, there is a linked notification or media coverage. In some cases, it is not clear if some data have been double-counted, as a parent health system may report its numbers but a component unit may have also reported its number affected. But while there may be some over-counting in a few cases, it is important to note that of the 105 entries, we are missing numbers for 29 of them, or 28%, so the numbers below are almost certainly an underestimate of the true scope of the breach when it comes to patient data.
With those qualifications in mind, we can report today that:
- Adults & Children with Learning & Developmental Disabilities, Inc. reported the fewest number of patients to be notified 603.
- Trinity Health reported the largest number of patients being notified: 3,320,726. Their number appears to be for all 92 of their hospitals.
- For the 76 entities for whom we have data, we have a total of 10,901,421 individuals whose demographic information and status as patients was involved, sometimes with additional details about their patient experiences.
- The 76 incidents for which we had data had a mean number of 143,439.75 patients per entity and a median number of 58,289 patients per entity.
Are you unnecessarily giving fundraising arms or business associates protected health information? Some simple alterations in the data you provide may change it from PHI to non-PHI.
DataBreaches.net is publishing its list of affected Blackbaud clients, below, for two reasons. The first is that Blackbaud has not been transparent about how many patients were impacted. If we have almost 11 million accounted for and are missing data for 28% of entities, the numbers are obviously significant.
Second: we do not take comfort in Blackbaud’s assurances that the criminals destroyed the data because Blackbaud paid their ransom demand and received assurances from the criminals and others whom they do not name. Indeed, Coveware’s most recent report makes clear that some criminals do keep copies of data and dump them, sell them, or share them even after pinky-swearing that they won’t. By publishing this list, DataBreaches.net hopes to help victims and others recognize if data shows up on the dark web that might come from this breach.
You can find DataBreaches.net’s updated list of compiled reports below. Please send any additions, deletions, or corrections to the list to breaches[at]databreaches.net.
You are welcome to use the list if you properly credit this site’s work. And if any firm or organization would like to throw some sponsorship at this site to support this site’s continued efforts to shine the light on patient data privacy and security, please contact me at breaches[at]databreaches.net.
Blackbaud_Update3_11062020