Cincinnati, OH, September 14, 2020 – The Christ Hospital Health Network (TCHHN), a not-for-profit health system and acute care provider, recently learned that Blackbaud, a third-party software and service provider used for fundraising and constituent engagement efforts at healthcare organizations, foundations, non-profits and universities worldwide, was the subject of a data security incident. This incident was widespread and impacted many of Blackbaud’s clients around the world, including certain personal information of The Christ Hospital patients. The Christ Hospital takes the security of our patients’ personal information extremely seriously and is notifying affected individuals and providing them with precautionary steps they can take to protect themselves.
On July 16, 2020, Blackbaud informed The Christ Hospital that it had discovered and stopped a ransomware event that occurred intermittently between February 7, 2020 and May 20, 2020. According to Blackbaud, they paid the threat actor to ensure that the data was permanently destroyed.
Once TCHHN was informed of the issue, it immediately initiated an internal investigation in partnership with outside experts to determine the impact to its stakeholders and appropriately notify them. On August 28, 2020, it was determined that the information removed by the threat actor contained personal information of some TCHHN patients, including full names, addresses, dates of birth, phone numbers, provider names, and/or hospital departments. Importantly, this incident does not impact patient Social Security numbers, financial account information, or payment card information. TCHHN’s electronic health record system was not impacted by this incident.
According to Blackbaud, there is no evidence to suggest that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity. Nonetheless, The Christ Hospital encourages impacted individuals to take precautionary actions to help protect their personal information. These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report. Additionally, individuals should always remain vigilant in reviewing their financial account statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.
The Christ Hospital deeply regrets any concern or inconvenience this may cause. As an organization committed to not only providing an exceptional patient experience, but to protecting the security of patient information, TCHHN is taking this incident extremely seriously, and remains committed to reviewing and enhancing its security practices, and that of its third-party partners and providers, on an ongoing basis in accordance with data security best practices.
For more information about this incident, Blackbaud released a public statement acknowledging this event and describing its cybersecurity practices, available at www.blackbaud.com/securityincident. Additionally, The Christ Hospital has established a dedicated and confidential toll-free response line to respond to questions at 844-945-3740. This response line is staffed with professionals familiar with this incident and knowledgeable on what individuals can do to protect their information. The response line is available Monday through Friday, 9:00am to 6:30pm Eastern Time.