Ransomware attack on third-party software continues to claim victims
Separate incidents at two US healthcare organizations may have resulted in the personal data of more than 190,000 patients being compromised following a high-profile cyber-attack against a third-party cloud software provider.
A ransomware attack on Blackbaud in May 2020, saw attackers take control of the company’s servers and encrypt some sets of data.
The software, which provides donor and fundraising management programs for websites, is used by charities and other institutions worldwide.
Four months on, and organizations continue to count the cost of the third-party data breach.
Children’s Minnesota, one of the largest children’s healthcare organizations in the US, recently announced that the personal data of more than 160,000 patients may have been compromised in the incident.
The medical center said it used Blackbaud’s cloud-based software for fundraising activities.
Patient details including names, ages, addresses, medical records, dates of treatments, and medical insurance information were exposed, Children’s Minnesota said in a recent security alert.
“Importantly, financial account, credit card information and Social Security numbers were not contained in the affected Blackbaud database,” the advisory read.
“This incident did not involve any access to our medical systems or electronic health records.”
Separately, Our Lady of the Lake Regional Medical Center in Baton Rouge, Louisiana, also announced this week it had been subject to a breach via the Blackbaud attack.
The medical center’s sister organization, Our Lady of the Lake Foundation, was one of the victims of the Blackbaud breach in May.
The healthcare provider said it had shared some data with the foundation, resulting in the personal details of more than 31,000 patients being exposed.
Leaked data includes names, addresses, phone numbers, and email addresses, as well as “limited” health information such as assigned physician names.
Our Lady of the Lake stressed that no financial records had been affected.
The center also said it was “working with Blackbaud to understand why there was a delay between finding the breach and notifying us, as well as what actions Blackbaud has and is taking to increase its security and prevent future attacks.”
Hundreds of organizations impacted
So far, the Blackbaud incident has affected hundreds of organizations from healthcare providers to universities and other charities.
Last month, two UK charities announced they had been impacted by the breach. The Christie and the Mines Advisory Group, both based in Manchester, both fell victim to the attack.
Blackbaud’s owners paid the ransom, though the official figure has not been reported. As a result, the attackers said they deleted all data.
Due to the size of the incident, however, more and more information is coming to light about those organizations that were affected.
The scale of the Blackbaud breach also raises more questions regarding the use of third-party software.
Jeremy Hendy, CEO at digital risk protection company Skurio, told The Daily Swig: “Breaches often happen through a security failure at a supply chain partner, three or four levels removed from your own organization.
“Healthcare organizations have complex digital ecosystems, with sensitive patient and staff data potentially flowing through thousands of different technologies – many of which may not be visible.
“No matter how good your own network security, someone else may lose your data and bad actors are ready to exploit this, that’s why you need to be securing your data, not just your network.”
Joseph Carson, chief security officer at Thycotic, added: “It is essential to perform a data impact and risk assessment on any software a company decides to use such as what data is being collected, what security controls it has, data integrity and availability such as a strong data backup and resiliency.
“Though it is important to know that not all third-party software is equal – with some coming with security by design enabled, while others offer very basic security controls that are turned off.”