[BreachExchange] Blackbaud Ransomware Victim Count Climbing

[Destry Winant]

https://www.databreachtoday.com/blackbaud-ransomware-victim-count-climbing-a-14972

The May ransomware attack on cloud-based fundraising database
management vendor Blackbaud continues to rack up victims in the
healthcare sector.

A snapshot Wednesday of the federal health data breach tally shows at
least eight organizations - including seven in recent weeks -
reporting breaches linked the Blackbaud incident, affecting a combined
total of nearly 1.6 million individuals so far - with additional
relevant breaches yet to be posted.

The Blackbaud ransomware incident also has affected organizations in
other industries. And the company now faces a lawsuit that questions
the company's move to pay off a hacker in return for a promise to
delete data that was stolen (see: Class Action Lawsuit Questions
Blackbaud's Hacker Payoff).

The largest of the Blackbaud-related health data breaches was reported
in August by Maine-based healthcare delivery system Northern Light
Health, which said 657,000 individuals were affected. That makes this
part of the Blackbaud incident alone the second largest breach listed
on the Department of Health and Human Services' HIPAA Breach Reporting
Tool website so far this year.

Over the last month, at least seven additional breaches tied to the
Blackbaud ransomware attack have been posted on the tally, which lists
health data breaches affecting 500 or more individuals.

One of those entities - Washington-based MultiCare Health System -
reported to HHS a breach involving the Blackbaud ransomware attack
affecting about 179,000 individuals. But the organization says in a
statement that it's notifying 300,000 "donors and patients."

At least two more health data breaches - reported by North
Carolina-based Atrium Health and Illinois-based NorthShore University
HealthSystem have not yet made it to the federal tally. The Chicago
Tribune reports that the NorthShore breach affected 348,000
individuals.

Blackbaud Ransomware Attack Breaches on Tally So Far

Breached EntityIndividuals - Affected
Northern Light Health - 657,000
Saint Luke's Foundation - 360,000
MultiCare Health System - 179,000
University of Florida Health - 136,000
The Guthrie Clinic - 92,000
Main Line Health - 61,000
Aveanna Healthcare - 166,000
Northwestern Memorial HealthCare - 56,000
Spectrum Health - 53,000
Atrium Health - N/A
NorthShore University HealthSystem - N/A
Total:1,594,000
Sources: U.S. Dept. of Health and Human Services, breached healthcare entities

Vendor Attacks

The Blackbaud ransomware attack is the second major hacking incident
in 2020 involving a vendor that has been responsible for large victim
counts in the healthcare sector.

An April ransomware incident involving managed healthcare company
Magellan Health has impacted about a dozen healthcare sector entities
reporting breaches affecting a total of nearly 1.7 million
individuals.

So far, at least one organization and its affiliates have reported
breaches involving both the Blackbaud and Magellan Health ransomware
incidents.

At least three University of Florida-related entities that offer their
employees Magellan Health plans are listed on the HHS website as
reporting breaches linked to the Magellan ransomware attack. Those
breaches affected a total of more than 76,000 individuals.

The University of Florida Health also reported to HHS on Aug. 14 a
breach affecting nearly 136,000 individuals tied to the Blackbaud
ransomware incident.

More Hacks

While a growing list of healthcare organizations have been stung by
ransomware attacks on vendors in recent months, several healthcare
entities have reported their own large hacking breaches in recent
weeks, some involving ransomware.

For instance, three of the largest hacking incidents posted on the HHS
in recent weeks affected:

Louisiana-based Baton Rouge Clinic, affecting 308,000 individuals;
Arizona-based Assured Imaging, impacting nearly 245,000;
Kentucky-based Imperium Health, affecting more than 139,000.

Other Trends

As of Wednesday, 345 breaches impacting about 11.6 million individuals
have been added to the HHS tally in 2020.

Of those, 217 breaches affecting a combined total of nearly 9.8
million individuals were reported as hacking/IT incidents.

So far in 2020, 115 breaches impacting nearly 5.3 million individuals
were reported as involving a business associate. That means that while
business associates were reported "present" in only about one-third of
the health data breaches posted to the HHS tally so far this year,
those incidents accounted for more than half of the individuals
impacted.

Unauthorized access/disclosure breaches are the second most common
type reported so far this year, with 81 incidents impacting 423,000
individuals.

Since 2009 when federal regulators began keeping a tally, 3,412 major
health data breaches affecting a combined total of nearly 251 million
individuals have been posted to the HHS site.

Business Associate Risks

With hacking incidents involving vendors leading to so many large
health data breaches, healthcare sector entities need to ratchet up
their third-party risk management efforts, some experts note.

"It is now more important than ever to have business associates attest
in detail how they are in compliance with the HIPAA Security Rule and
how current and how comprehensive their risk analysis is," says Susan
Lucci, senior privacy and security consultant at tw-Security.

"On another front, it is extremely important for covered entities to
document their BA compliance levels, but also to ask if they utilize
any downstream business associates and if they are vetting those
business associate's compliance levels."

Technology Integration

Jason Ortiz, a senior product engineer at the security consultancy
Pondurance, says healthcare entities also need to closely scrutinize
the security risks tied to their vendors' technology deployments.

"Vendor integration with core corporate environments is undoubtedly
one of the scariest things a CISO can experience," he says.

Healthcare organizations' IT and security teams usually have limited
visibility into a vendor's hardware and software integration, as well
as the vendor's policies regulating access and other controls, he
says.

Even if a CISO does their due diligence during the purchasing process
to ensure they are working with vendors practicing strong security
standards, there is always additional risk of a breach with these
integrations, he says.

"Monitoring and detection of abnormal activities on or related to
these vendor integrations is the next best thing you can do to protect
your environment. If you cannot prevent the breach entirely due to
lack of visibility and control over the integrations, detecting when
and how it's happening could save the entire corporate environment."

Healthcare organizations are increasingly reliant on connected
technologies to provide healthcare services to patients, Ortiz notes.

"As a result, these organizations need to have a world-class security
program that protects their assets. This must go far beyond solely
remaining compliant and needs to incorporate strong elements of the
entire security lifecycle as described by the National Institute of
Standards and Technology," he says.