FALLS CHURCH, VA, September 9, 2020 – Inova Health System (“Inova”), a non-profit health organization, recently learned that Blackbaud, a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities worldwide, was the subject of a data security incident. This was a wide-reaching security event that involved data of many of Blackbaud’s clients around the world, including certain personal information of Inova patients and donors. Inova takes seriously the security of our patients’ and donors’ personal information, and is notifying affected individuals and providing them with steps they can take to protect themselves.
On July 16, 2020, Blackbaud informed Inova that it had discovered and stopped a ransomware event that occurred in May 2020. Blackbaud’s investigation concluded that the threat actor intermittently removed data from Blackbaud’s systems between February 7, 2020 and May 20, 2020, including certain information that Blackbaud maintained for Inova. According to Blackbaud, the data was permanently destroyed and they have assured us that they closed the vulnerability that allowed the incident.
Once Inova was informed of the issue, it immediately commenced a thorough investigation, in partnership with leading cybersecurity professionals, to determine who may have been affected, and to notify them. On August 10, 2020, Inova determined that the information removed by the threat actor may have contained certain personal information of some patients and donors, including full names, addresses, dates of birth, phone numbers, provider name(s), date(s) of service, hospital department(s), and/or philanthropic giving history such as donation dates and amounts. Importantly, this incident does not impact individuals’ Social Security numbers and financial account information and/or payment card information, which were also not exposed. In addition, the Inova electronic health record system was not impacted by this incident.
According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available. Nevertheless, Inova encourages impacted individuals to take actions to help protect their personal information. These actions include placing a fraud alert and/or security freeze on their credit files, and/or obtaining a free credit report. Additionally, individuals should always remain vigilant in reviewing their financial account statements, explanation of benefits statements and credit reports for fraudulent or irregular activity on a regular basis and report any suspicious activity to the proper authorities.
Inova deeply apologizes for any inconvenience this may cause. Blackbaud has assured Inova that they closed the vulnerability that allowed the incident, and that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future. Inova remains fully committed to maintaining the privacy of personal information in its possession and has taken many precautions to safeguard it, including continually evaluating and modifying its practices, and those of its third party service providers, to enhance data security.
For more information about this data security event, Blackbaud released a public statement acknowledging this incident and describing its cybersecurity practices, available at www.blackbaud.com/securityincident.
For further questions about this incident, or to determine if you are affected, you may contact the dedicated response line at 888-490-0278, available Monday through Friday, 9 a.m. to 9 p.m. ET.