Notice Regarding Blackbaud Data Security Incident
UnityPoint Health ("UPH"), a non-profit health organization, recently learned that Blackbaud, a third-party service vendor used for fundraising and donor engagement efforts at non-profits worldwide, was the subject of a data security incident. This was a wide-reaching security event that involved data of many of Blackbaud's clients around the world, including certain information of Foundation donors.
On July 16, 2020, Blackbaud reported to UPH that it had identified a ransomware attack in progress on May 20, 2020. Blackbaud informed UPH that they stopped the ransomware attack and engaged forensic experts to assist in Blackbaud's internal investigation. That investigation concluded that cybercriminals intermittently removed data from Blackbaud's systems between February 7, 2020 and May 20, 2020. According to Blackbaud, the data was permanently destroyed, and they have assured UPH that they closed the vulnerability that allowed the incident.
Upon learning of the issue, UPH requested detailed information from Blackbaud about the nature and scope of the incident and engaged experts to assist UPH in determining what information was potentially involved and steps UPH can take to mitigate harm to UPH's patients and donors from this incident at Blackbaud.
The information potentially compromised during this incident may have included full names, addresses, dates of birth, phone numbers, and/or philanthropic giving history, such as donation dates and amounts. Importantly, this incident does not involve individuals' Social Security numbers and financial account information and/or payment card information, which were also not exposed. In addition, the UPH electronic health record system was not involved in this incident.
According to Blackbaud, there is no evidence that any data has been misused, disseminated, or otherwise made publicly available. Nevertheless, individuals should always remain vigilant in reviewing their financial account statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.
The security of our donors' information is UPH's top priority, and we deeply regret any worry or inconvenience the Blackbaud incident may cause. Blackbaud has assured UPH that they closed the vulnerability that allowed the incident, and that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future. UPH remains fully committed to maintaining the privacy of information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices, and those of its third-party service providers, to enhance data security.
For more information about this data security event, Blackbaud released a public statement acknowledging this incident and describing its cybersecurity practices, available at www.blackbaud.com/securityincident.
For further questions about this incident, please contact the dedicated response line at 888-490-0743, available Monday through Friday, 8 a.m. to 8 p.m. CT.