CHESAPEAKE, Va. - Chesapeake Regional Healthcare experienced a data security incident from February 7 that may have intermittently reoccurred until May 20, the organization said.
Officials have notified 23,058 patients, donors and employees about the incident after learning that Blackbaud, a third-party service vendor providing fundraising, donor engagement and data hosting services for the Chesapeake Regional Health Foundation and other nonprofit organizations around the world, experienced a data security incident.
"Blackbaud discovered and stopped a ransomware attack and their cybersecurity team - together with independent forensics experts and law enforcement - successfully prevented the cybercriminal from doing further damage," officials said in a release.
On September 9, Blackbaud notified Chesapeake Regional that the incident had occurred. After obtaining the specific data, the vendor confirmed which patients, employees and donors had been involved.
According to Blackbaud, the cybercriminal removed a copy of the vendor’s backup file, which may have contained personal contact information such as name, mail address, email address, demographics and a history of your relationship with our organization, such as donation dates and amounts.
Because the cybercriminal did not access credit card information, bank account information, social security numbers or other personal identification information, the data breach presents a low risk for identity theft, Chesapeake Regional Healthcare said.
According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated or otherwise made publicly available.
Patients, donors and employees have been notified by first-class mail and/or email.
Blackbaud has assured Chesapeake Regional that they have implemented several changes to protect data from any subsequent incidents. Their team has confirmed through testing by multiple third parties that the implementation of their corrective action plan withstands all known attack tactics.
“Breaches happen every day. Sometimes it's the fault of software problems or coding problems, but it's just the way life in 2020. That's why it's so important for everyone to be trained on proper security procedures and what to do when they find out," said cybersecurity expert Gregg Tennefoss, who is a professor at Tidewater Community College.
Blackbaud has several clients in the Hampton Roads region. News 3 reached out to them to ask if they were impacted by the security breach. We also reached out to Blackbaud, who said, "To respect the privacy of our customers, we aren’t disclosing the total number of customers (or any segment) involved in the incident, and we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically. Those customers which were part of this incident have been notified. We will not be commenting beyond the statement on our website. Thank you for understanding."
Click here to read Blackbaud's full statement.