On September 30, 2020, Blackbaud submitted a Form 8-K with the SEC (U.S. Securities and Exchange Commission) that gave more details on the ransomware attack encountered by the company in May 2020. Blackbaud stated that the forensic inquiry into the breach has uncovered that more information was possibly exposed due to the breach. For a number of clients, unencrypted fields that were meant for usernames and passwords, Social Security numbers, and bank account details may also have been viewed by the attackers.
For the majority of the clients impacted by the breach, this additional data were not exposed. Because the fields for sensitive data were encrypted, the attackers could not read any data contained in those fields. Blackbaud stated that it has notified all clients who might have had their sensitive data exposed and provided them with additional support.
Blackbaud stated in the SEC filing that it was able to stop the hackers from totally encrypting selected files yet affirmed that before encryption a part of data was extracted from the private hosted cloud of Blackbaud.
Blackbaud earlier stated that it paid the ransom demand to make certain that no stolen data stolen would be sold or disclosed to the public. The attackers guaranteed that the stolen information was deleted after getting the ransom payment. The amount of ransom payment was not mentioned in the SEC filing.
Blackbaud is certain that no data was published publicly or further exposed; nonetheless, there is generally a risk to paying hackers who performed an attack, stolen information, and encrypted files. They may not keep their word and may still possess a copy of the data they stole. Blackbaud is implementing safety measures and got a cybersecurity agency to monitor any release of the stolen data on the dark web and the hacking forums.
Blackbaud issued notifications concerning the data breach on July 16 in observance of HIPAA guidelines to report a breach in 60 days. All through August and September, there is a steady increase in the number of breaches posted on the HHS’ Office for Civil Rights breach portal. About 58 healthcare companies in the US have openly stated having been impacted by the breach and over 3 dozen breaches are now posted on the OCR breach website.
The worst impacted entity to date is Trinity Health, which stated that the protected health information (PHI) of 3,320,726 people were exposed. The breach also affected the PHI of Inova Health System’s 1,045,270 clients and Northern Light Health’s 657,392 clients. A lot of other healthcare companies have said the breach impacted a large number of people. Thus far, the PHI of nearly 10 million people had been exposed.
Blackbaud is working together with security companies and law enforcement in the ongoing investigations into the breach.