On September 30, 2020, the SEC (U.S. Securities and Exchange Commission) received the Form 8-K filed by Blackbaud to give more information about the ransomware attack that the company encountered in May 2020. Blackbaud explained that the investigation by the forensic team revealed the possibility that more information was compromised in the attack. The attackers may have viewed the unencrypted fields that were intended for bank account details, usernames, passwords, and Social Security numbers of some clients.
For most of the Blackbaud clients affected by the attack, the data mentioned above were not compromised. The attackers could not read the sensitive information thanks to encryption. Blackbaud mentioned that it had sent notifications to all clients whose sensitive data were potentially exposed and gave them further assistance.
Blackbaud reported in the SEC filing that it had stopped the attackers from completely encrypting some files, but the attackers were able to extract a part of the data from Blackbaud’s cloud before encryption.
Blackbaud previously gave a statement that it gave the attackers their ransom demand so that the stolen data would not be exposed to the public or offered for sale. The attackers confirmed the deletion of the stolen data after receiving the ransom payment. The SEC filing did not state how much Blackbaud paid.
Blackbaud is sure that there was no data posted publicly or further compromised; even so, the risk is typical to paying hackers who stole data and encrypted records. It’s possible that they would not do as they say and kept a copy of the stolen information. Blackbaud is enforcing safety procedures and had engaged a cybersecurity agency to keep an eye on the dark web and the hacking forums for any posting of the stolen data.
On July 16, Blackbaud published notices about the data breach in compliance with the breach notification rules of the HIPAA. Throughout August and September, the number of breaches published on the HHS’ Office for Civil Rights breach portal steadily increased. Approximately 58 US healthcare companies have reported that the breach impacted them and there are more than 3 dozen breaches currently listed on the OCR breach portal.
The worst affected company thus far is Trinity Health. There were 3,320,726 individuals whose protected health information (PHI) was exposed. The PHI of 1,045,270 Inova Health System’s clients and 657,392 Northern Light Health’s clients were likewise affected by the breach. Many other healthcare organizations have stated that the breach affected many of their clients. To date, nearly 10 million individuals were affected.
Blackbaud, the security firms, and the authorities are continually investigating the breach.