Christ Hospital: Personal information of patients compromised in ransomware attack

In a letter to patients this week, Christ Hospital officials said personal information – such as name and date of birth – was stolen in a data breach that has affected organizations across the globe.

Offiicals explained that the hospital uses software from a company called Blackbaud, a cloud-computing solution for "fundraising and constituent or donor engagement efforts."

Blackbaud suffered a ransomware attack in May. In a statement on its website, the company said it thwarted part of the attack, but ended up paying off the hackers.

"Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed," Blackbaud reported.

In a statement to The Enquirer, Christ Hospital said it was notified by Blackbaud of the breach on July 16.

"Blackbaud has communicated that there is no evidence to suggest misuse of any data accessed, we nonetheless immediately initiated our own investigation in partnership with outside experts to determine the impact to our stakeholders and appropriately notify them," the statement said.

[ The Enquirer is dedicated to local journalism. We can’t do this work without your support. Please consider a digital subscription to Cincinnati.com. ]

Hospital officials said by the end of August they had determined some information from patients and donors was subject to the attack.

"As an organization committed to not only providing an exceptional patient experience but to protecting the security of patient information, we are taking this incident extremely seriously," the statement said.

Notifications began Sept. 14 "as a precautionary measure."

For the Christ Hospital patients affected by the breach, hospital officials said in the letter that Social Security numbers, health records and financial information were not obtained by the hackers.

Officials said the compromised data may have contained people's names, addresses, dates of birth, phone numbers, provider names and hospital departments associated with the patients.

"According to Blackbaud, there is no evidence to believe that any data will be misused, disseminated, or otherwise made publicly available," the letter states. "Blackbaud indicates that it has hired a third-party team of experts...to continue monitoring for any such activity."

The South Carolina-based Blackbaud is widely used by healthcare providers, non-profits, universities and school systems. According to its website, 30 of the top 32 largest nonprofit hospitals are "powered by our solutions."

The BBC reported in July that the Blackbaud is not revealing the scale of the breach. Reporters there identified 19 colleges affected by the attack, including several in the U.S., along with Human Rights Watch, Vermont Public Radio and several other organizations.

Locally, two nursing facilities reported this month their data was also compromised in the attack.

Computer Weekly reported that the list of organizations affected by the breach was over 120 in July.

"We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident," Blackbaud wrote on its website.

Blackbaud has faced criticism in the cybersecurity community for paying off the hackers.

The FBI discourages the payment of ransoms for data breaches.

"Paying a ransom doesn’t guarantee you or your organization will get any data back," the FBI states on its website. "It also encourages perpetrators to target more victims and offers an incentive for others to get involved in this type of illegal activity."