Fraud Management & Cybercrime , Governance & Risk Management , Healthcare
Blackbaud Ransomware Victim Count ClimbingHealth Data Breach Tally Shows Impact of Vendor Breach
The May ransomware attack on cloud-based fundraising database management vendor Blackbaud continues to rack up victims in the healthcare sector.
A snapshot Wednesday of the federal health data breach tally shows at least eight organizations – including seven in recent weeks - reporting breaches linked the Blackbaud incident, affecting a combined total of nearly 1.6 million individuals so far – with additional relevant breaches yet to be posted.
The Blackbaud ransomware incident also has affected organizations in other industries. And the company now faces a lawsuit that questions the company’s move to pay off a hacker in return for a promise to delete data that was stolen (see: Class Action Lawsuit Questions Blackbaud’s Hacker Payoff).
The largest of the Blackbaud-related health data breaches was reported in August by Maine-based healthcare delivery system Northern Light Health, which said 657,000 individuals were affected. That makes this part of the Blackbaud incident alone the second largest breach listed on the Department of Health and Human Services' HIPAA Breach Reporting Tool website so far this year.
Over the last month, at least seven additional breaches tied to the Blackbaud ransomware attack have been posted on the tally, which lists health data breaches affecting 500 or more individuals.
One of those entities – Washington-based MultiCare Health System – reported to HHS a breach involving the Blackbaud ransomware attack affecting about 179,000 individuals. But the organization says in a statement that it’s notifying 300,000 “donors and patients.”
At least two more health data breaches – reported by North Carolina-based Atrium Health and Illinois-based NorthShore University HealthSystem have not yet made it to the federal tally. The Chicago Tribune reports that the NorthShore breach affected 348,000 individuals.
Blackbaud Ransomware Attack Breaches on Tally So Far
|Breached Entity||Individuals Affected|
|Northern Light Health||657,000|
|Saint Luke's Foundation||360,000|
|MultiCare Health System||179,000|
|University of Florida Health||136,000|
|The Guthrie Clinic||92,000|
|Main Line Health||61,000|
|Northwestern Memorial HealthCare||56,000|
|NorthShore University HealthSystem||N/A|
The Blackbaud ransomware attack is the second major hacking incident in 2020 involving a vendor that has been responsible for large victim counts in the healthcare sector.
An April ransomware incident involving managed healthcare company Magellan Health has impacted about a dozen healthcare sector entities reporting breaches affecting a total of nearly 1.7 million individuals.
So far, at least one organization and its affiliates have reported breaches involving both the Blackbaud and Magellan Health ransomware incidents.
At least three University of Florida-related entities that offer their employees Magellan Health plans are listed on the HHS website as reporting breaches linked to the Magellan ransomware attack. Those breaches affected a total of more than 76,000 individuals.
The University of Florida Health also reported to HHS on Aug. 14 a breach affecting nearly 136,000 individuals tied to the Blackbaud ransomware incident.
While a growing list of healthcare organizations have been stung by ransomware attacks on vendors in recent months, several healthcare entities have reported their own large hacking breaches in recent weeks, some involving ransomware.
For instance, three of the largest hacking incidents posted on the HHS in recent weeks affected:
- Louisiana-based Baton Rouge Clinic, affecting 308,000 individuals;
- Arizona-based Assured Imaging, impacting nearly 245,000;
- Kentucky-based Imperium Health, affecting more than 139,000.
As of Wednesday, 345 breaches impacting about 11.6 million individuals have been added to the HHS tally in 2020.
Of those, 217 breaches affecting a combined total of nearly 9.8 million individuals were reported as hacking/IT incidents.
So far in 2020, 115 breaches impacting nearly 5.3 million individuals were reported as involving a business associate. That means that while business associates were reported “present” in only about one-third of the health data breaches posted to the HHS tally so far this year, those incidents accounted for more than half of the individuals impacted.
Unauthorized access/disclosure breaches are the second most common type reported so far this year, with 81 incidents impacting 423,000 individuals.
Since 2009 when federal regulators began keeping a tally, 3,412 major health data breaches affecting a combined total of nearly 251 million individuals have been posted to the HHS site.
Business Associate Risks
With hacking incidents involving vendors leading to so many large health data breaches, healthcare sector entities need to ratchet up their third-party risk management efforts, some experts note.
“It is now more important than ever to have business associates attest in detail how they are in compliance with the HIPAA Security Rule and how current and how comprehensive their risk analysis is,” says Susan Lucci, senior privacy and security consultant at tw-Security.
“On another front, it is extremely important for covered entities to document their BA compliance levels, but also to ask if they utilize any downstream business associates and if they are vetting those business associate’s compliance levels.”
Jason Ortiz, a senior product engineer at the security consultancy Pondurance, says healthcare entities also need to closely scrutinize the security risks tied to their vendors’ technology deployments.
“Vendor integration with core corporate environments is undoubtedly one of the scariest things a CISO can experience,” he says.
Healthcare organizations’ IT and security teams usually have limited visibility into a vendor’s hardware and software integration, as well as the vendor’s policies regulating access and other controls, he says.
Even if a CISO does their due diligence during the purchasing process to ensure they are working with vendors practicing strong security standards, there is always additional risk of a breach with these integrations, he says.
”Monitoring and detection of abnormal activities on or related to these vendor integrations is the next best thing you can do to protect your environment. If you cannot prevent the breach entirely due to lack of visibility and control over the integrations, detecting when and how it's happening could save the entire corporate environment.”
Healthcare organizations are increasingly reliant on connected technologies to provide healthcare services to patients, Ortiz notes.
”As a result, these organizations need to have a world-class security program that protects their assets. This must go far beyond solely remaining compliant and needs to incorporate strong elements of the entire security lifecycle as described by the National Institute of Standards and Technology,” he says.