Notice of Blackbaud Vendor Data Incident
Blackbaud, Inc., one of our outside vendors, recently made us aware of a data security incident that may have involved personal data.
What happened? On July 16, 2020, we were notified that Blackbaud had discovered and stopped a ransomware attack of Blackbaud’s self-hosted platform in May 2020. Blackbaud is the global market leader in third party not-for-profit donor applications used by many charitable, health, and educational organizations in the U.S. and abroad.
What information was involved?
Blackbaud has specifically informed us that the cybercriminal did NOT access credit card information, bank account information, or social security numbers. According to Blackbaud, the cybercriminal did, however, remove a copy of a subset of Blackbaud customer data beginning as early as February 2020, which could have included information used by us for fundraising purposes, such as names, contact information, and/or demographic / donor profile information. Individual files varied. Some may have contained minimal health information, such as date of discharge, department, and/or physician name. Blackbaud paid the cybercriminal’s ransom demand with confirmation that the copy the cybercriminal removed had been destroyed.
Blackbaud does not believe this incident poses any risk to individuals, because, based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud has reportedly hired a third-party team of experts to monitor the internet and dark web as an extra precautionary measure.
What are we doing? We are sending notices as potentially required by law to the last known address of any individuals who potentially were affected. We are reviewing all relevant business practices regarding the security of Blackbaud data. We have notified individuals as required by law at the last known address. Blackbaud reports that it has implemented numerous security changes. Blackbaud stated that it quickly identified the vulnerability associated with this incident and took swift action to fix it. Blackbaud has stated that it has confirmed through testing by multiple third parties that its fix withstands all known attack tactics. Finally, Blackbaud is further hardening its environment through enhancements to access management, network segmentation, deployment of additional endpoint and network-based platforms.
What can you do? Based on the Blackbaud notice, this incident is not likely to result in a risk of harm to individuals, and as such, Blackbaud does not think there is anything more that needs to be done at this time relating to this specific incident.
NOTE: It is always advisable for all individuals at all times to maintain the routine personal practice of remaining vigilant to cybercriminal scams (e.g., phishing scams, illegitimate requests for personal information or money, etc.), which are common occurrences. If suspicious activity is detected on any personal credit statements, credit reports or financial accounts, it should be promptly report discrepancies to the applicable financial entity, law enforcement authorities, your State Attorney General’s office, and/or the credit bureaus: Equifax (P.O. Box 74021, Atlanta, GA 30374; 800-685-1111; www.equifax.com), Experian (P.O. Box 2002, Allen, TX 75013; 888-397-3742; www.experian.com) or TransUnion (P.O. Box 1000, Chester, PA 19016; 800-916-8800; www.transunion.com). Additionally, for a free copy of your credit report and guidance on how to protect your personal information with fraud alerts and security freezes, you may contact the credit bureaus and/or the Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, 1-877-IDTHEFT (438-4338), or www.ftc.gov/idtheft.
For more information about this incident, individuals can consult blackbaud.com/securityincident or call toll-free 1-877-461-2593, 9 am – 6:30 pm EST Monday – Friday (excluding major holidays). The call center will remain in place for 90 days. We sincerely apologize for any inconvenience this may have caused. Thank you for the continued support of UTMC.
The University of Tennessee Medical Center