Since our first interim report, DataBreaches.net has continued to compile reports that mention patient information that was disclosed to Blackbaud and that may have been accessed or exfiltrated by ransomware threat actors in the data breach discovered in May. Despite the criminals pinky-swearing that they wouldn’t misuse the data and would destroy it all in exchange for an unspecified amount of ransom, most HIPAA-covered entities seem to be viewing this all as a reportable breach.
The file below contains more than just HIPAA-covered entities. It includes foundations or organizations that may be specific to a particular disorder or medical problem and where the donors may give information about their own diagnoses and history.
As of today, there were 79 entities on DataBreaches.net’s worksheet, with numbers available for 47 of them. The total number of patients so far is 5,565,831.
As I’ve mentioned before: think about how to conduct fund-raising without providing so much protected health information (PHI) to fundraising organizations or business associates.
See the file below for more details on the 79 entities included in this second interim report.
Correction to the file below:
Delete Specialized Alternatives for Families & Youth of America, Inc. Revised interim total = 78 entities with 5,507,708 patients for the 46 for which we have numbers.
Blackbaud_InterimReport2