The two largest healthcare data breaches reported to the federal government last month were both tied to a ransomware attack at a third-party software vendor, Blackbaud.
Combined, the two data breaches at Northern Light Health in Brewer, Maine, and St. Luke’s Foundation in Kansas City, Mo., compromised personal data on more than 1 million people.
Dozens of healthcare organizations, educational institutions and other not-for-profits in the U.S. and abroad were affected by the May cyberattack at Blackbaud, a company that sells software to not-for-profits to manage fundraising, marketing and other operations.
Northern Light on Aug. 3 reported that up to 657,392 people who had personal data held in the health system foundation’s fundraising databases, which are hosted by Blackbaud, might have had information exposed in the incident.
The cybercriminals who attacked Blackbaud accessed files that contained fundraising information related to donors, possible donors, people who had attended fundraising events and “patients who we believe may want to support our healthcare mission,” among other community members, according to a notice from Northern Light Health Foundation.
Saint Luke’s Foundation, the foundation affiliated with Saint Luke’s Health System, on Aug. 20 reported that up to 360,212 people may have been compromised in the same incident at Blackbaud.
NorthShore University HealthSystem in Evanston, Ill., last week said an estimated 348,000 patients may have had personal information compromised in the Blackbaud attack.
Upon discovering the ransomware attack in May, Blackbaud said its security team was able to block the cybercriminals from fully encrypting files and removed them from the company’s information systems; however, before that point, the cybercriminals had already taken a copy of some of the company’s data.
Blackbaud paid a ransom demand to the cybercriminals, who in exchange destroyed the data copy, according to a notice describing the incident that Blackbaud posted online.
As of Tuesday, HHS’ Office for Civil Rights—the agency that maintains the government’s database of healthcare data breaches—had posted 31 data breach reports that healthcare providers, insurers and their business associations had submitted to the agency in August. In total, the 31 data breaches compromised data on a collective 2.1 million patients.
The average number of patients affected per incident was roughly 69,263 in August, the highest monthly average so far this year. That number’s partially driven up by organizations reporting multiple data breaches in August that exposed data on more than 100,000 patients each, including the incidents at Northern Light and St. Luke’s, as well as six others.
In July, the average number of patients affected per data breach was just over half of that 69,263 figure, at 35,776.