Hack compromises hospital’s patient, donor information
The personal information of roughly 2,000 Texas Children’s Hospital patients and donors has been compromised as a result of a cyber attack against a thirdparty cloud software provider used by institutions around the country.
Texas Children’s this week mailed letters advising the individuals of the ransomware attack involving Blackbaud, a company that hosts fundraising databases of hundreds of universities, health-care systems, charities and other institutions. The attack reportedly has exposed the information of hundreds of thousands of people.
Blackbaud paid a ransom demanded by the attackers in return for the destruction of the stolen information. The company said they have confirmation the attackers did destroy the information in question.
“Like thousands of other organizations impacted by this incident, Blackbaud did not protect our donors’ data as required, and we regret any inconvenience or concern this incident may cause those affected,” Texas Children’s said in a statement. “Texas Children’s takes this incident very seriously and is taking steps to reduce the risk of an incident like this happening again.” The statement added that Texas Children’s has initiated an investigation into the incident. It includes a review of whether security enhancements Blackbaud has added to resolve the vulnerability exposed in its systems are sufficient to protect Texas Children’s information.
Before Blackbaud secured its systems, the attackers removed a copy of a subset of data relating to many of its customers, including a backup of the Texas Children’s donor database. According to the Office of Civil Rights, the information of 1,987 Texas Children’s patients and donors
“Texas Children’s takes this incident very seriously and is taking steps to reduce the risk of an incident like this happening again.” Texas Children’s Hospital statement
was exposed.
The information exposed is considered health information, though it did not involve electronic health or financial records. Texas Children’s determined that attackers gained access to certain free text fields in its fundraising database that contain patients’ names, dates of birth, department of service, treating physician and limited clinical information. It does not include Social Security numbers, the hospital said.
Blackbaud informed Texas Children’s of the ransomware attack July 16. The attack occurred between Feb. 7 and March 20, 2020.
Organizations are continuing to assess the cost of the attack months later. Some other institutions took far greater hits than Texas Children’s — Children’s Minnesota, for instance, recently announced that the personal data of more than 160,000 patients may have been compromised in the incident.
It is unclear how many Houston-area institutions were affected by the cyber attack. An August notice on the University of Houston website noted that the school was possibly impacted by the incident, and Baylor College of Medicine took out a legal advertisement in the Sept. 4 edition of the Houston Chronicle acknowledging the incident may have compromised some patient information. The UH page said that 45,000 universities and other nonprofit organizations, including the University of Texas and Texas Tech systems, use Blackbaud.
Houston’s Memorial Hermann and Houston Methodist health systems were not impacted, officials there said.
Blackbaud officials did not respond to a Houston Chronicle inquiry about the matter.
The Non-Profit Times reported that Blackbaud is working with the Columbia, S.C., bureau of the FBI. A spokesman for the FBI declined to acknowledge there is an investigation but did not deny one is ongoing, reported the publication, which said there have been no reports filed with the Charleston or Mount Pleasant, S.C., police departments and no announced arrests.
It added that the amount of the ransom and how it was paid were not made available.
Texas Children’s is recommending that patients review the statements they receive from their health care providers and should contact their provider immediately if there are services they didn’t receive.
The hospital has established a dedicated call center at 1-888-604-0161 to answer any questions about the incident. The call center is available Monday through Friday between 8 a.m. and 5:30 p.m.