Hundreds of thousands of Minnesotans are receiving letters warning them that their data may have been exposed in the second-largest healthcare data breach in state history.
The letters were sent to individuals who had donated to or been a patient of Allina Health hospitals and clinics or Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities.
Breach notifications warned that personal data may have been exposed following a ransomware attack on third-party vendor Blackbaud in May 2020. The South Carolina company is one of the world's largest providers of education administration, fundraising, and financial management software.
To date, over 3 million people in the United States have been impacted by the attack on Blackbaud, which has also impacted a number of universities, charities, and organizations in the United Kingdom.
Attackers gained access to copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud computing systems. Individuals impacted by the breach have been warned to monitor their medical bills for any instances of fraud.
In a statement regarding the incident, Children's Minnesota shared: "Based on our investigation and review of the affected Blackbaud database, the incident involved limited patient information that the Foundation received in connection with its fundraising efforts, including: full names, addresses, phone numbers, age, dates of birth, gender, medical record numbers, dates of treatment, locations of treatment, names of treating clinicians, and health insurance status."
Allina Health has notified more than 200,000 patients and donors that their data may have been exposed as a result of the attack on Blackbaud.
A statement on Allina's website seeks to reassure customers by rather optimistically telling them: "Blackbaud did pay the cybercriminal’s demand with confirmation that the copy of the data that they removed had been destroyed."
Patients and donors at Regions Hospital and Gillette Children's Specialty Healthcare in Minnesota have also received data breach notifications this month as a result of the attack on Blackbaud.
The Blackbaud-related breach of hundreds of thousands of records is the second-largest health data breach ever to have been reported in Minnesota. The largest breach, of 11,500,000 records, was reported in July last year by Optum360, LLC.