One of the biggest breaches of the year is not getting the attention it deserves, and impacts millions of people.
A recent report by DataBreaches.net predicts that the Blackbaud ransomware attack will be “the largest or one of the largest breaches” of 2020 that involves patient health information (PHI), as 3.4 million patient records have now been reported as impacted. The interim report analyzed all organizations that might collect health data from donors, and was not limited to HIPAA-covered entities.
Furthermore, researchers at Modern Healthcare called out that eight out of ten of the healthcare data breaches reported to HHS in September 2020 actually stemmed from the Blackbaud ransomware incident. “Nearly 80 organizations that work with health data had information compromised in the Blackbaud data breach, affecting data on a collective 5.5 million people so far," according to the article. The month of September was a busy month for the HHS, where an influx of breach reports came in, after record-setting low numbers reported in the first half of 2020. Critical Insight covered the downturn, and the prediction of a H2 spike – exactly what’s now coming true, as part of their 2020 H1 Healthcare Data Breach Data Report.
Dozens of healthcare organizations, educational institutions and other not-for-profits in the U.S. and abroad were affected by the ransomware attack at Blackbaud, a company that sells software to not-for-profits to support fundraising, marketing, and operations. As a result, Blackbaud is now under fire from regulators and customers alike - who are now filing lawsuits against the company for breach of contract and invasion of privacy.
Impacted organizations were notified on July 16th, 2020, that Blackbaud’s systems for their donor software program, Raiser’s Edge, had experienced ‘unauthorized access’ from February 7-March 20, 2020 where personally identifiable information had been extracted, and ransom had been extorted from Blackbaud. In exchange for the money, the cyber criminals said they destroyed the data copy, according to Blackbaud’s security notice describing the incident.
An update in late September to the incident's report online noted that a small number of impacted customers also had unecrypted payment information exposed, despite the software company's previously stated claim that all customer data had been encrypted within their system.
In an interview with Modern Healthcare, Drex DeFord, healthcare executive strategist at cybersecurity Critical Insight and former health system chief information officer said, "It's not unusual for foundations to solicit patients for donations”, but how much information is collected, and the type of information collected is, "specific to the patient and their disease, where they were treated, and who the doctors were, I think probably varies widely."
It's a particularly bad time for a breach of fundraising systems, he said, since hospitals have lost revenue amid COVID-19.
"Healthcare organizations (and) not-for-profits rely on donors now more than ever," DeFord said. "This is exactly the wrong time to see a donor database compromised and those donors then starting to second guess whether or not they should give money."
The Blackbaud incident is typical of the uptick in double-extortion ransomware attacks, where the ransomware gangs target large corporate networks for their initial foothold, and steal data from victims before encrypting their local files. If a victim refuses to pay, the crime gang threatens to put the stolen data up for sale on the dark web. Sometimes, even when the victim pays, the criminals sell the data. There is no indication that the criminals in this case are selling the data they stole.
Paying a hacker's ransom demand is discouraged by cybersecurity experts and the FBI because paying the ransom enables future criminal activity. Depending on the cyber criminals demanding ransom, it can also be illegal to pay the ransom. The U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued an advisory in early October 2020 noting that any cybersecurity insurers, financial institutions, or representative organizations that may facilitate ransom payments “not only encourage future ransomware payment demands but also may risk violating OFAC regulations.” The advisory goes on to state that “facilitating ransomware payments on behalf of a victim may violate OFAC regulations” if the criminal organization or individual is sanctioned or from a sanctioned jurisdiction.
If you are experiencing an active ransomware attack, or you suspect your systems have been penetrated by lurking hackers, Critical Insight has an on-call Incident Response team ready to assist. Contact Critical Insight here.