Hundreds of thousands of patients and donors to Children’s Minnesota and Allina Health hospitals are getting letters saying some of their personal data may have been exposed in the second-largest health-care data breach in state history.
The growing list of those affected includes more than 160,000 patients and donors at Children’s Minnesota, and more than 200,000 patients and donors from Allina Health hospitals and clinics.
Those notified of the breach involving Children’s Minnesota are being told to watch their medical bills for signs of fraud. Allina’s breach notice says the information involved, including names and addresses and possibly medical information, does not put individuals at risk for identity or financial theft.
Patients and donors to at least four different health care providers in the state — Children’s, Allina, Regions Hospital and Gillette Children’s Specialty Healthcare — have been getting notifications in the mail this month saying their or their children’s data may have been pilfered from an contractor called Blackbaud that works for the hospitals’ charitable foundations. Nationally, more than 3 million people are affected by the breach, which Blackbaud discovered in May.
Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities, is notifying more than 160,000 families that the data breach at South Carlolina-based Blackbaud allowed hackers to obtain copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud-computing systems.
The letter from Children’s Minnesota says the exposed data likely included the pediatric patient’s full name, date of birth, address, phone number, age, gender, medical record number, dates and locations of treatment, names of treating doctors and insurance status.
The letter from Allina says the breach definitely included names and addresses, and that it may have included dates of birth, dates of care, and the names of doctors and departments visited.
The Blackbaud breach constitutes the second-largest health data breach in the state, according to records maintained by the federal Office for Civil Rights. On Wednesday morning, a spokesman for Regions Hospital in St. Paul confirmed that breach notification letters are being sent to 52,795 patients, and Gillette confirmed it sent 1,766 such letters.
Allina confirmed Wednesday that data from about 200,000 donors and patients may have been hacked, though the health system is notifying everyone in its database.
Each of the health care providers say they’ve notified those whose information wastaken.
“Since learning of this incident, we have been working with Blackbaud to understand the scope of the ransomware attack and the steps it is taking to prevent future data security incidents,” an Allina spokeperson wrote. “Our security experts have evaluated Blackbaud’s security protocols and feel confident it has taken the appropriate action to further protect the information entrusted to it.”
Like officials at other hospitals, a spokesman at Gillette Children’s said the data were provided to the foundation and Blackbaud as part of fundraising efforts that reach out to patients or their families who have good experiences with the hospital.
“We track a limited amount of information in the Blackbaud database so we are able to identify which doctor, or department, someone has interacted with if they would like to direct their gift to a specific program,” the Gillette Children’s statement said.
Minneapolis-based bone-marrow transplant registry company Be The Match notified donors of the breach in a letter dated Aug. 11.
The largest health care data breach reported by a Minnesota company happened last year, when Optum360 — a division of Minnetonka-based insurer and services provider UnitedHealth Group — disclosed that records on 11.5 million people were exposed.
Most of those records did not involve Minnesotans. Rather, Optum360 had contracted with a now-bankrupt outside firm called American Medical Collection Agency, whose computers were breached. Optum itself had been working for Quest Diagnostics, which provided health and financial data on patients who were being sent to collections.
Securities filings show that Quest has been sued by patients over the breach, and is being investigated by state and federal officials.
Across the nation, dozens of charities and hospitals whose data were stored on Blackbaud computers have reported breaches to more than 3.4 million donors and patients, according to a tally compiled by an independent researcher at the website, www.databreaches.net.
“The Blackbaud breach is likely to be the biggest or one of the biggest breaches involving patient information in 2020,” wrote “Dissent Doe,” a blogger at databreaches.net who is also a health care provider and has posted about health-data breaches since 2008.
The incident was not limited to health care. In July, charitable organizations around Minnesota began e-mailing donors about the breach, including Feed My Starving Children, Catholic Charities of St. Paul and Minneapolis and Cretin-Derham Hall High School. The Pioneer Press reported that Dodge Nature Center and Preschool in West St. Paul also was affected.
The Hennepin Healthcare Foundation, which raises money for the Minneapolis-based health system, also was hit by the breach. But the July 22 letter about the breach says only that the contact and demographic information of donors to the foundation, plus a history of past donations and amounts, were compromised.
“We recommend you remain vigilant and be on-guard for any scams or social engineering attacks that may use previous donations, as a way of establishing trust and impersonating us or another nonprofit,” the Hennepin Healthcare letter said. “Please contact us immediately if you are suspicious someone is using your support of Hennepin Healthcare to leverage additional personal information or donations.”
Blackbaud, which bills itself the world’s leading cloud-storage firm for charities, discovered in May that a computer hacker outside the company had gained the ability to log into an internal data-center server and download files as early as February..
“The attack was sophisticated enough that it initially looked like legitimate customer activity. When it escalated, the attack evaded our endpoint detection, intrusion prevention, and monitoring processes,” a company official told The Nonprofit Times. Blackbaud declined to comment to the Star Tribune, but it did send a link to the article.
Although the attack did not penetrate Blackbaud’s cloud-computing operations, the hacker downloaded a “subset” of data before the intrusion was blocked, according to the narrative in The Nonprofit Times, which interviewed several Blackbaud officials.
After cutting off access, Blackbaud paid an undisclosed ransom to the attacker in exchange for “confirmation that the copy they removed had been destroyed,” Blackbaud’s official statement on the incident says. No credit card information, bank account information, or Social Security numbers were stolen, according to the company.
The cyberattack that began with undetected unauthorized access on Feb. 7 was over by June 3, but communications about the ransom to destroy the downloaded files continued throughout June. By June 25, Blackbaud got an official report from its independent forensic investigator that allowed it start to pinpoint which organizations’ information was affected.
Blackbaud says it has “no reason” to believe data compromised as part of the ransomware attack will ever be misused or disseminated publicly.
“Their motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure,” the company said.
Like the letter from Hennepin Healthcare, the letter from Children’s Minnesota says those affected should be on the lookout for fraud, such as charges for services that were never given.
Blackbaud say why hospitals are advising patients and donors to watch for suspicious activity if there was no indication that the data would be misused. Blackbaud’s e-mail said it would not comment beyond a statement on its website, “out of respect to the privacy for our customers.”
Some question why hospitals are sharing patient data with a third-party working on fundraising.
Even though health care providers typically require patients or guardians to sign paperwork acknowledging medical data may be shared with outside parties, some patients don’t understand why a charitable foundation needs access to medical records.
“I’m consenting for doctors to do with whatever they need to do, but not the medical data and history of my child to go to a third party so they can market to me for fundraising campaigns,” said Matt Berg of Minneapolis who got one of the letters this week. His child has gone to Children’s Minnesota in the past.
A spokeswoman for Children’s Minnesota said in an e-mail Wednesday morning that it’s common for not-for-profit health care systems to track past patient interactions for fundraising.
“Often, people choose to make a donation to our foundation after they or a loved one has received care at one of our facilities. We track a limited amount of information in the Blackbaud database so, for example, we are able to identify which clinician or department a family has interacted with in the event they would like to direct their gift to a specific program,” the Children’s spokeswoman said.
A year ago, Children’s reported a breach involving nearly 38,000 people whose protected helath information was viewable over the Internet because of a programing error, including names, insurance information and past treatments. Following that incident, all staff were retrained and additional safeguards were put into place.