11/18/2020
At USC Arcadia Hospital (“USC Arcadia Hospital”), we take
our responsibility to maintain the privacy and security of our patients’
personal information very seriously. Regrettably, we have learned that
MHSC is one of hundreds of hospitals, healthcare systems, and other nonprofit
organizations, including several in California, to be affected by a security
event at Blackbaud Inc., a well-respected provider of cloud and data services
for charitable organizations.
What Happened?
The USC Arcadia Hospital Foundation (the “Foundation”) is a nonprofit
corporation that is organized to fund charitable funds for the benefit
of USC Arcadia Hospital. In accordance with our policies and procedures, and as described
in our Notice of Privacy Practices provided to our patients (found on
our website at:
https://www.methodisthospital.org/For-Patients-Visitors/Notice-of-Privacy-Practices.aspx),
USC Arcadia Hospital provides limited information about our patients to our Foundation,
which contracts with Blackbaud to host the Foundation’s fundraising databases.
On September 9, 2020, we were notified by the Foundation that
Blackbaud discovered and stopped a ransomware attack that included our
Foundation’s donor database, as well as those of many other nonprofit
organizations. The ransomware attack occurred between February and May 2020, but Blackbaud
and the Foundation took time to determine which organizations were impacted
before we were notified of the attack.
In its investigation, Blackbaud stated that its cybersecurity team —
together with independent forensics experts and law enforcement —
successfully prevented the cybercriminal from blocking Blackbaud’s
system access.
Blackbaud ultimately expelled the cybercriminal from its system. Prior to locking the cybercriminal out,
however, the cybercriminal removed a copy of a backup file containing some
information about our patients. Blackbaud stated that they paid the ransom
and received confirmation that the cybercriminal had destroyed the copy
of the data removed from the system.
What Information Was Involved?
The information we had provided to the Foundation, which was copied and,
presumably, destroyed by the cybercriminal may have included patients’:
- full name;
- contact information, such as telephone numbers, email address, and mailing address;
- demographic information, such as date of birth and sex; and
-
Medical record number and possibly admission date.
We had not provided any other health information, such as insurance information
or Social Security number, to the Foundation.
Based on the nature of the incident, Blackbaud’s research, and third-party
(including law enforcement) investigation,
Blackbaud has assured us that it has no reason to believe that any data
went beyond this cybercriminal or was disseminated or otherwise made available publicly. Blackbaud further stated that they have taken additional steps to ensure
that the backup file was permanently deleted.
What We Are Doing
Blackbaud has taken several steps in response to this incident. As part
of its ongoing efforts to help avoid an event like this from happening
in the future, Blackbaud has informed us that it has implemented changes
to help protect its system from any future incidents. Since learning of
the issue, Blackbaud identified the vulnerability associated with this
incident, including the tactics used by the cybercriminal, and has taken
actions to fix it. Additionally, Blackbaud is accelerating its efforts
to further improve its systems through enhancements to access management,
network segmentation, and other network-based platforms. As an additional
safety measure, Blackbaud has indicated that it has hired a third-party
team of experts to monitor the dark web for any further misuse of the data.
In response to Blackbaud’s notification,
USC Arcadia Hospital initiated a full investigation once the incident was identified and
has taken the necessary steps to prevent a similar event from occurring again, including reviewing and minimizing the sensitive data elements that are
provided to the Foundation and/or Blackbaud. In addition, we have reported
this incident to the California Department of Public Health.
What Our Patients Can Do
We want to emphasize again that Blackbaud has assured us that noSocial Security numbers, credit cards, bank accounts or other information
of that nature were compromised. However, we recommend our patients remain attentive by reviewing their
account statements and credit reports closely and reporting any suspicious
activities.
Our Commitment to Our Patients
While data security incidents and ransomware attacks are unfortunately
becoming more common, this is not something USC Arcadia Hospital ever wants to happen
to our valued patients. Your privacy is of utmost importance to us. We
very much regret the inconvenience that this incident may have caused.
Please be assured that we take data protection very seriously and are
grateful for the continued support of our vital mission to deliver world-class
care to our patients.
If you have any other questions, please contact us via one of the methods below: