Breach of nonprofit vendor including clients worldwide also ensnares MultiCare
Story has been updated with additional comment from MultiCare.
Tacoma-based MultiCare Health System is alerting patients and foundation donors of a potential breach of their personal information.
In an announcement posted on its website Aug. 21, the health system said it was addressing a “security incident” experienced by a foundation vendor.
According to the health system, “On July 16, MultiCare was informed of a worldwide data security incident experienced by Blackbaud Inc. — an engagement and fundraising platform utilized by MultiCare Foundations.”
Blackbaud is based in Charleston, South Carolina.
It noted that the incident targeted more than 25,000 nonprofit organizations worldwide, and added that “Blackbaud has advised MultiCare that the cybercriminals … did not have access to credit card information, bank account information or Social Security numbers at any time.”
MultiCare, in its notification to individuals, said Blackbaud discovered and stopped the ransomware attack in May, but a data file may have been accessed.
“To protect personal customer data, Blackbaud paid the cybercriminal’s ransom with confirmation that the removed copy had been destroyed. Based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
The security breach involves “selected information about some of MultiCare’s donors, potential donors, patients and former patients who we believe may want to support our health care mission and others in the community with whom we have relationships,” according to the health system.
“For 126,092 donors, only name, address, telephone number and email address were involved. For 176,677 patients, the personal information involved included demographics, date and department of service, and provider name. For some guarantors, the date of birth, address and date of service may have been included as well. Minor names were not involved.”
Multicare said it has sent emails and letters to patients and donors who may have been affected by the incident. When asked Monday why it took so long to notify individuals, the health system’s spokeswoman responded late Monday via email:
“Since being notified, MultiCare has been working closely with Blackbaud to fully understand what information was compromised, who exactly was impacted from our database, and to review Blackbaud’s compliance and security strategy to ensure our data will continue to be protected,” Marce Edwards, MultiCare’s executive director of corporate communications, told The News Tribune via email.
“Once we understood the full situation from Blackbaud, we worked quickly to provide accurate information and next steps via email or first-class mail to those we believed to be impacted.”
Various other nonprofits have been alerted by Blackbaud of their data also included in the incident, including Planned Parenthood, Vermont Public Radio and the George W. Bush Presidential Center, according to the NonProfit Times, along with more than 50 universities in the UK, US, Canada, and New Zealand, according to one analysis.
NPR said it too had received notice from Blackbaud.
MultiCare made headlines in 2017 with another data breach, alerting about 1,200 former and current patients after it discovered an unauthorized individual may have gained access to an employee’s email account.
This story was originally published August 24, 2020 at 5:58 PM.
