The Falls Church, Va.-based Inova Health System has publicly acknowledged that it’s been impacted by a ransomware attack on Blackbaud, a third-party service vendor whose clients around the world have also been affected by the wide-reaching security incident.
On July 16, Blackbaud—which is used for fundraising and alumni or donor engagement efforts at non-profits and universities worldwide—informed Inova that it had discovered and stopped a ransomware event that occurred in in May. Blackbaud’s investigation concluded that the threat actor intermittently removed data from Blackbaud’s systems between February 7, 2020 and May 20, 2020, including certain information that Blackbaud maintained for Inova. According to Blackbaud, the data was permanently destroyed and they have assured the health system that they closed the vulnerability that allowed the incident, according to Inova officials.
Nonetheless, the data breach portal of the U.S. Department of Health and Human Services’ (HHS) shows that the security incident potentially exposed the information of more than 1 million individuals. Becker’s Hospital Review recently reported that the breach has affected more than 25,000 organizations worldwide, including many health systems in the U.S. The list of total patient care organizations impacted by the incident is now up to 12, including NorthShore University HealthSystem, MultiCare Health System, Saint Luke's Health System and Atrium Health. The attack potentially impacted at least 3 million people across those dozen health systems.
Inova said that once it was informed of the issue, it immediately began an investigation, in partnership with cybersecurity professionals, to determine who may have been affected, and to notify them. Then on Aug. 10, Inova determined that the information removed by the threat actor may have contained certain personal information of some patients and donors, including full names, addresses, dates of birth, phone numbers, provider name(s), date(s) of service, hospital department(s), and/or philanthropic giving history such as donation dates and amounts.
Importantly, this incident does not impact individuals’ Social Security numbers and financial account information and/or payment card information, which were also not exposed. In addition, the Inova electronic health record (EHR) system was not impacted by this incident, officials stated.
According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available. Nevertheless, Inova is encouraging impacted individuals to take actions to help protect their personal information. These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report.
Health system officials stated, “Inova deeply apologizes for any inconvenience this may cause. Blackbaud has assured Inova that they closed the vulnerability that allowed the incident, and that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future.”