Northern Light Health Foundation Alerts 657,392 Donors About Blackbaud Ransomware Attack

The Brewer, ME-based integrated healthcare group, Northern Light Health Foundation, has revealed it has been impacted by the recent ransomware attack on Blackbaud Inc.

The databases affected include information about donors, possible donors, and individuals who may have attended a fundraising event in the past. Patient medical records were stored separately and were unaffected. The databases contained the records of 657,392 people.

South Carolina-based Blackbaud is one of the world’s biggest education, administration, fundraising, and financial management software providers. A company as large as Blackbaud is naturally a target for hackers. Blackbaud said that it experiences millions of attacks each month and its cybersecurity team successfully defends the company against those attacks, although in May 2020 one of those attacks got through their defenses.

The ransomware attack could have caused much more damage. Blackbaud discovered the ransomware attack quickly and took action to block the attack. Blackbaud was able to stop the ransomware from completely encrypting its files, and only a small percentage of the company’s 25,000+ clients were affected. The attack did not affect its cloud environment and the majority of its self-hosted environment was not impacted.

As is now typical in manual ransomware attacks, prior to file encryption, data was exfiltrated by the hackers. Blackbaud revealed in its breach notice that only a subset of data was copied by the attackers and highly sensitive data such as Social Security numbers, credit card information, and bank account information were not compromised.

Blackbaud said it its substitute breach notice that “…because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”

It is, at present, not known how many Blackbaud clients have been affected by the attack. Northern Light Health Foundation said it was one of thousands affected in its breach notice, including several other healthcare groups in Maine. New York City-based Cancer Research Institute and the Santa Monica, CA-based Prostate Cancer Foundation, were also affected by the attack.

The BBC said that a minimum of 10 universities in the US, UK, and Canada have been impacted, including Harvard University, Emerson College in Boston, and the Rhode Island School of Design, along with charities, media companies, and a host of private sector firms. While the attack took place in May 2020, alerts were not sent to impacted clients until July 16, 2020. It is not known why there was such a long delay in warning affected clients, especially considering many of those clients are located in the EU. The EU General Data Protection Regulation (GDPR) states that notifications must be sent to data protection authorities within 72 hours of a breach and data controllers also need to be notified swiftly, without unnecessary delay.

Author: Maria Perez