The aftermath of Blackbaud’s data breach continues to extend, with Inova Health System stepping forward as the latest victim of the ransomware incident announced by the US-based cloud computing provider in May 2020.
“Inova Health System (“Inova”), a non-profit health organization, recently learned that Blackbaud, a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities worldwide, was the subject of a data security incident,” the organization said. “This was a wide-reaching security event that involved data of many of Blackbaud’s clients around the world, including certain personal information of Inova patients and donors. Inova takes seriously the security of our patients’ and donors’ personal information, and is notifying affected individuals and providing them with steps they can take to protect themselves.”
According to the US Department of Health and Human Services data breach portal, the incident affected the personal information of 1,045,270 donors and patients.
Following an internal investigation, Inova determined that the information potentially stolen during the attack may have included full names, addresses, dates of birth, phone numbers, provider names, date of service, hospital departments and donation history information.
The data breach did not impact Social Security Numbers, credit card information or electronic health records, the health organization underlined.
Although Blackbaud agreed to pay ransom demands for the attackers to provide decryption keys and permanently delete any exfiltrated data, Inova advises impacted individuals to remain vigilant and monitor their financial account statements for any suspicious activities.
“According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available,” Inova added. “Nevertheless, Inova encourages impacted individuals to take actions to help protect their personal information. These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report.”
Evidence suggesting the misuse of patient or donor information has not been observed at this time. Blackbaud confirmed that it has seen evidence indicating that the stolen data was permanently deleted. As a precaution, it is using a third-party service to monitor the dark web for any marketplace listings of the exfiltrated data.