Notice to Our Patients of Blackbaud Data Security Incident
The Sisters of Charity Health System (“SCHS”) is committed to protecting the security and privacy of our community members. Regrettably, we recently learned of an incident that occurred at one of our vendors, Blackbaud, Inc. (“Blackbaud”), that involved some SCHS information.
Blackbaud is a vendor that provides cloud-based relationship-management and fundraising data solutions for SCHS entities including Mercy Medical Center, Providence Hospitals (prior to 2016), St. Vincent Charity Medical Center, Building Healthy Communities, Early Childhood Resource Center, Healthy Learners, Joseph’s Home, Light of Hearts Villa, Regina Health Center, and South Carolina Center for Fathers and Families. On July 16, 2020, Blackbaud informed us it had discovered that an unauthorized individual had gained access to Blackbaud’s systems between February 7 and May 20, 2020, and may have acquired backup copies of databases used by its customers, including backups of the databases that SCHS entities use for fundraising efforts. We immediately took steps to understand the extent of the incident and the data involved.
Based on our review of the database involved in the incident, it may have contained some patient information, including names, contact information, gender, dates of birth, dates and locations of service, service lines, and treating physicians. The database may have also contained information about relationships with SCHS entities such as donation history, volunteer service and employment, if any.
Social Security numbers, credit card and financial account information contained in the database were encrypted, and therefore were not accessible. This incident did not involve any access to medical systems or protected health records. The incident only involved our constituent/donor databases.
In addition, Blackbaud has advised us that it worked with cybersecurity experts and law enforcement to respond to this incident. Based on its evaluation of the facts, Blackbaud has communicated that it believes that the backup involved in the incident has been destroyed and the data will not be published.
We want our patients to know that we are taking this matter very seriously. We mailed letters regarding the incident to those whose information was contained in the Blackbaud database beginning October 1, 2020. We have also established a dedicated call center to answer any questions about this incident, which may be contacted at 1-866-394-1537, from 9:00 a.m. to 6:30 p.m. Eastern, Monday through Friday, excluding major U.S. holidays.
For any affected patients, we recommend that you be vigilant against fraudulent communications such as phishing emails and phone calls, and always take steps to prevent unauthorized access to your own data by using strong passwords and never disclosing them to anyone.
We value the trust you have placed in us and apologize for any concern this incident may cause. To help prevent something like this from happening again, SCHS is evaluating our relationship with Blackbaud and reviewing the security requirements we have for our data solution service vendors.