Fraud Management & Cybercrime , Governance & Risk Management , Healthcare

Blackbaud Ransomware Victim Count Climbing

Health Data Breach Tally Shows Impact of Vendor Breach
Blackbaud Ransomware Victim Count Climbing

The May ransomware attack on cloud-based fundraising database management vendor Blackbaud continues to rack up victims in the healthcare sector.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

A snapshot Wednesday of the federal health data breach tally shows at least eight organizations – including seven in recent weeks - reporting breaches linked the Blackbaud incident, affecting a combined total of nearly 1.6 million individuals so far – with additional relevant breaches yet to be posted.

The Blackbaud ransomware incident also has affected organizations in other industries. And the company now faces a lawsuit that questions the company’s move to pay off a hacker in return for a promise to delete data that was stolen (see: Class Action Lawsuit Questions Blackbaud’s Hacker Payoff).

The largest of the Blackbaud-related health data breaches was reported in August by Maine-based healthcare delivery system Northern Light Health, which said 657,000 individuals were affected. That makes this part of the Blackbaud incident alone the second largest breach listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far this year.

Over the last month, at least seven additional breaches tied to the Blackbaud ransomware attack have been posted on the tally, which lists health data breaches affecting 500 or more individuals.

One of those entities – Washington-based MultiCare Health System – reported to HHS a breach involving the Blackbaud ransomware attack affecting about 179,000 individuals. But the organization says in a statement that it’s notifying 300,000 “donors and patients.”

At least two more health data breaches – reported by North Carolina-based Atrium Health and Illinois-based NorthShore University HealthSystem have not yet made it to the federal tally. The Chicago Tribune reports that the NorthShore breach affected 348,000 individuals.

Blackbaud Ransomware Attack Breaches on Tally So Far

Breached Entity Individuals Affected
Northern Light Health 657,000
Saint Luke's Foundation 360,000
MultiCare Health System 179,000
University of Florida Health 136,000
The Guthrie Clinic 92,000
Main Line Health 61,000
Northwestern Memorial HealthCare 56,000
Spectrum Health 53,000
Atrium Health N/A
NorthShore University HealthSystem N/A
Total: 1,594,000
Sources: U.S. Dept. of Health and Human Services, breached healthcare entities

Vendor Attacks

The Blackbaud ransomware attack is the second major hacking incident in 2020 involving a vendor that has been responsible for large victim counts in the healthcare sector.

An April ransomware incident involving managed healthcare company Magellan Health has impacted about a dozen healthcare sector entities reporting breaches affecting a total of nearly 1.7 million individuals.

So far, at least one organization and its affiliates have reported breaches involving both the Blackbaud and Magellan Health ransomware incidents.

At least three University of Florida-related entities that offer their employees Magellan Health plans are listed on the HHS website as reporting breaches linked to the Magellan ransomware attack. Those breaches affected a total of more than 76,000 individuals.

The University of Florida Health also reported to HHS on Aug. 14 a breach affecting nearly 136,000 individuals tied to the Blackbaud ransomware incident.

More Hacks

While a growing list of healthcare organizations have been stung by ransomware attacks on vendors in recent months, several healthcare entities have reported their own large hacking breaches in recent weeks, some involving ransomware.

For instance, three of the largest hacking incidents posted on the HHS in recent weeks affected:

Other Trends

As of Wednesday, 345 breaches impacting about 11.6 million individuals have been added to the HHS tally in 2020.

Of those, 217 breaches affecting a combined total of nearly 9.8 million individuals were reported as hacking/IT incidents.

So far in 2020, 115 breaches impacting nearly 5.3 million individuals were reported as involving a business associate. That means that while business associates were reported “present” in only about one-third of the health data breaches posted to the HHS tally so far this year, those incidents accounted for more than half of the individuals impacted.

Unauthorized access/disclosure breaches are the second most common type reported so far this year, with 81 incidents impacting 423,000 individuals.

Since 2009 when federal regulators began keeping a tally, 3,412 major health data breaches affecting a combined total of nearly 251 million individuals have been posted to the HHS site.

Business Associate Risks

With hacking incidents involving vendors leading to so many large health data breaches, healthcare sector entities need to ratchet up their third-party risk management efforts, some experts note.

“It is now more important than ever to have business associates attest in detail how they are in compliance with the HIPAA Security Rule and how current and how comprehensive their risk analysis is,” says Susan Lucci, senior privacy and security consultant at tw-Security.

“On another front, it is extremely important for covered entities to document their BA compliance levels, but also to ask if they utilize any downstream business associates and if they are vetting those business associate’s compliance levels.”

Technology Integration

Jason Ortiz, a senior product engineer at the security consultancy Pondurance, says healthcare entities also need to closely scrutinize the security risks tied to their vendors’ technology deployments.

“Vendor integration with core corporate environments is undoubtedly one of the scariest things a CISO can experience,” he says.

Healthcare organizations’ IT and security teams usually have limited visibility into a vendor’s hardware and software integration, as well as the vendor’s policies regulating access and other controls, he says.

Even if a CISO does their due diligence during the purchasing process to ensure they are working with vendors practicing strong security standards, there is always additional risk of a breach with these integrations, he says.

”Monitoring and detection of abnormal activities on or related to these vendor integrations is the next best thing you can do to protect your environment. If you cannot prevent the breach entirely due to lack of visibility and control over the integrations, detecting when and how it's happening could save the entire corporate environment.”

Healthcare organizations are increasingly reliant on connected technologies to provide healthcare services to patients, Ortiz notes.

”As a result, these organizations need to have a world-class security program that protects their assets. This must go far beyond solely remaining compliant and needs to incorporate strong elements of the entire security lifecycle as described by the National Institute of Standards and Technology,” he says.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.