Blackbaud cyber-attack claims another victim
The University of Tennessee Medical Center has announced a data breach impacting a reported 235,000 people.
The breach was a result of the Blackbaud cyber-attack in May 2020, which exposed the personal data of thousands of individuals around the world.
Blackbaud, a third-party software provider, provides support and management tools for fundraising and is used by charities and other organizations worldwide.
It was the victim of a ransomware attack which saw malicious hackers steal customer data from the vendor’s networks.
Blackbaud’s owners paid an unknown ransom amount to the assailants, who claim they deleted the data, although organizations around the world continue to count the cost of the attack.
Healthcare breach
The University of Tennessee Medical Center discovered its customers had been a victim of the Blackbaud breach on July 16.
According to an entry on the US Department of Health and Human Services breach portal, some 234,954 individuals are being notified of the incident.
Patient names, contact details, and demographic data may have been accessed as a result of the incident, the medical center said.
Read more of the latest healthcare breaches and security news
A statement reads: “Blackbaud has specifically informed us that the cybercriminal did NOT access credit card information, bank account information, or social security numbers.
“According to Blackbaud, the cybercriminal did, however, remove a copy of a subset of Blackbaud customer data beginning as early as February 2020.”
Victims will be informed via postal mail, the center said. It is also “reviewing all relevant business practices regarding the security of Blackbaud data”.
“Blackbaud stated that it quickly identified the vulnerability associated with this incident and took swift action to fix it,” the statement reads.
Other victims
This latest incident comes a week after two other US healthcare providers announced they had been impacted by the Blackbaud incident.
Children’s Minnesota, one of the largest children’s healthcare organizations in the US, said the personal data of more than 160,000 patients may have been compromised in the incident.
Patient details including names, ages, addresses, medical records, dates of treatments, and medical insurance information were exposed, a recent security alert revealed.
RELATED Blackbaud hack: US healthcare organizations confirm data breach impacted 190,000 patients
Separately, Our Lady of the Lake Regional Medical Center in Baton Rouge, Louisiana, also announced it had been subject to a breach via the Blackbaud attack.
The medical center’s sister organization, Our Lady of the Lake Foundation, was one of the victims of the Blackbaud breach.
The healthcare provider said it had shared some data with the foundation, resulting in the personal details of more than 31,000 patients being exposed.
Leaked data includes names, addresses, phone numbers, and email addresses, as well as “limited” health information such as assigned physician names.
Risky business
This incident highlights the potential pitfalls of entrusting third-party vendors with your customers’ personal data.
Joseph Carson, chief security officer at Thycotic, told The Daily Swig: “It is essential to perform a data impact and risk assessment on any software a company decides to use such as what data is being collected, what security controls it has, data integrity and availability such as a strong data backup and resiliency.
“Though it is important to know that not all third-party software is equal – with some coming with security by design enabled, while others offer very basic security controls that are turned off.”
READ MORE Blackbaud ransomware attack exposed donor data from two UK charities
