UnityPoint Health Notifies Individuals of Blackbaud Data Security Incident
WEST DES MOINES, IA, September 14, 2020 – UnityPoint Health ("UPH"), a non-profit health organization, recently learned that Blackbaud, a third-party service vendor used for fundraising and donor engagement efforts at non-profits worldwide, was the subject of a data security incident. This was a wide-reaching security event that involved data of many of Blackbaud's clients around the world, including certain protected health information of patients and donors within three UPH Foundations: St. Luke's Foundation, Trinity Health Foundation, and Des Moines Foundation. UPH takes seriously the security of our patients' and donors' personal information and is notifying approximately 27,000 affected individuals and providing them with steps they can take to protect themselves.
On July 16, 2020, Blackbaud reported to UPH that it had identified a ransomware attack in progress on May 20, 2020. Blackbaud informed UPH that they stopped the ransomware attack and engaged forensic experts to assist in Blackbaud's internal investigation. That investigation concluded that cybercriminals intermittently removed data from Blackbaud's systems between February 7, 2020 and May 20, 2020. According to Blackbaud, the data was permanently destroyed, and they have assured UPH that they closed the vulnerability that allowed the incident.
Upon learning of the issue, UPH requested detailed information from Blackbaud about the nature and scope of the incident and engaged experts to assist UPH in determining what information was potentially involved and steps UPH can take to mitigate harm to UPH's patients and donors from this incident at Blackbaud.
The information potentially compromised during this incident may have included full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history, such as donation dates and amounts. Importantly, this incident does not involve individuals' Social Security numbers and financial account information and/or payment card information, which were also not exposed. In addition, the UPH electronic health record system was not involved in this incident.
According to Blackbaud, there is no evidence that any data has been misused, disseminated, or otherwise made publicly available. Nevertheless, UPH encourages affected individuals to take actions to help protect their personal information. These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report. Additionally, individuals should always remain vigilant in reviewing their financial account statements, explanation of benefits statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.
The security of our patients' and donors' information is UPH's top priority, and we deeply regret any worry or inconvenience the Blackbaud incident may cause. Blackbaud has assured UPH that they closed the vulnerability that allowed the incident, and that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future. UPH remains fully committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices, and those of its third-party service providers, to enhance data security.
For more information about this data security event, Blackbaud released a public statement acknowledging this incident and describing its cybersecurity practices, available at www.blackbaud.com/securityincident.
For further questions about this incident, or to determine if you are affected, you may contact the dedicated response line at 888-490-0743, available Monday through Friday, 8 a.m. to 8 p.m. CT.