Catholic Medical Center (“CMC”) has informed patients and donors that some of our data was compromised in the recent security incident involving software vendor Blackbaud. Blackbaud provides engagement and fundraising software to many non-profits, including CMC.
On July 16, 2020, Blackbaud notified CMC that they had recently discovered a cyber criminal breached their system and stole information about many charitable organizations, including CMC. Blackbaud worked with law enforcement and cyber security specialists to expel the cyber criminal from their system. The company also paid a ransom in exchange for assurances that the stolen information would be destroyed.
The affected information did not include bank account information, credit card information, or social security numbers. However, it appears that the cyber criminal accessed patient and donor lists from CMC that included names, addresses, and information indicating if a person is alive or deceased. In addition, the cyber criminal may have accessed patients’ date of admission to CMC, a code indicating what department cared for them, email addresses, physician names, dates of birth, donor history, and phone numbers. It is important to note that the incident did not impact CMC’s internal computer systems or our electronic medical records, which we continue to safeguard.
CMC is working diligently with Blackbaud to understand how this incident occurred and steps we can take to prevent something like this from reoccurring in the future. Blackbaud assured us that they have already taken steps to patch, clean, and secure their network in accordance with security standards for the financial and technology industries. In addition, Blackbaud informed us that they have strengthened their access controls and implemented robust risk assessment and network security testing protocols. Additional information about how Blackbaud is responding to this incident is available here.
Although CMC’s network was not breached as a result of this incident, we maintain an aggressive cyber security program. We also require our contracted vendors to implement administrative, technical, and physical safeguards to secure all sensitive information within their organizations. Internal teams have reviewed Blackbaud’s responses to this incident, and we are evaluating whether any changes to our relationship with Blackbaud are necessary to further protect information in the future. Patient privacy and security are of the highest importance to CMC, and we deeply regret that this incident occurred.