[BreachExchange] Minnesota's second-largest health care data breach hits Children's, Allina

[Destry Winant]

https://www.startribune.com/minnesota-s-second-largest-health-care-data-breach-hits-children-s-allina/572430632/

Hundreds of thousands of patients and donors to Children’s Minnesota
and Allina Health hospitals are getting letters saying some of their
personal data may have been exposed in the second-largest health care
data breach in state history.

The growing list of those affected includes more than 160,000 patients
and donors at Children’s Minnesota, and more than 200,000 patients and
donors from Allina Health hospitals and clinics.

Those notified of the breach involving Children’s Minnesota are being
told to watch their medical bills for signs of fraud. Allina’s breach
notice says the information involved, including names and addresses
and possibly medical information, does not put individuals at risk for
identity or financial theft.

Patients and donors to at least four different health care providers
in the state — Children’s, Allina, Regions Hospital and Gillette
Children’s Specialty Healthcare — have been getting notifications in
the mail this month saying their or their children’s data may have
been pilfered from a contractor called Blackbaud that works for the
hospitals’ charitable foundations. Nationally, more than 3 million
people are affected by the breach.

Children’s Minnesota, a two-hospital pediatric health system in the
Twin Cities, is notifying more than 160,000 families that the data
breach at South Carolina-based Blackbaud allowed hackers to obtain
copies of a backup fundraising database stored by the Children’s
Minnesota Foundation on Blackbaud’s cloud-computing systems.

The letter from Children’s Minnesota says the exposed data likely
included the pediatric patients’ full name, date of birth, address,
phone number, age, gender, medical record number, dates and locations
of treatment, names of treating doctors and insurance status.

The letter from Allina says the breach definitely included names and
addresses, and that it may have included dates of birth, dates of
care, and the names of doctors and departments visited.

The Blackbaud breach constitutes the second-largest health data breach
in the state, according to records maintained by the federal Office
for Civil Rights. On Wednesday, a spokesman for Regions Hospital in
St. Paul confirmed that breach notification letters are being sent to
52,795 patients, and Gillette confirmed it sent 1,766 such letters.

Allina confirmed Wednesday that data from about 200,000 donors and
patients may have been hacked, though the health system is notifying
everyone in its database.

Each of the health care providers say they’ve notified those whose
information was taken.

“Since learning of this incident, we have been working with Blackbaud
to understand the scope of the ransomware attack and the steps it is
taking to prevent future data security incidents,” an Allina
spokesperson wrote. “Our security experts have evaluated Blackbaud’s
security protocols and feel confident it has taken the appropriate
action to further protect the information entrusted to it.”

Like officials at other hospitals, a spokesman at Gillette Children’s
said the data were provided to the foundation and Blackbaud as part of
fundraising efforts that reach out to patients or their families who
have good experiences with the hospital.

“We track a limited amount of information in the Blackbaud database so
we are able to identify which doctor, or department, someone has
interacted with if they would like to direct their gift to a specific
program,” the Gillette Children’s statement said.

Minneapolis-based bone-marrow transplant registry company Be The Match
notified donors of the breach in a letter dated Aug. 11.

The largest health care data breach reported by a Minnesota company
happened last year, when Optum360 — a division of Minnetonka-based
insurer and services provider UnitedHealth Group — disclosed that
records on 11.5 million people were exposed.

Most of those records did not involve Minnesotans. Rather, Optum360
had contracted with a now-bankrupt firm whose computers were breached.
Optum itself had been working for Quest Diagnostics, which provided
health and financial data on patients who were being sent to
collections. Securities filings show that Quest has been sued by
patients over the breach and is being investigated by state and
federal officials.

Across the nation, dozens of charities and hospitals whose data were
stored on Blackbaud computers have reported breaches to more than 3.4
million donors and patients, according to the website
databreaches.net.

“The Blackbaud breach is likely to be the biggest or one of the
biggest breaches involving patient information in 2020,” wrote
“Dissent Doe,” a blogger at databreaches.net who is also a health care
provider and writes about health-data breaches.

The Blackbaud incident was not limited to health care. In July,
charitable organizations around Minnesota began e-mailing donors about
the breach, including Feed My Starving Children, Catholic Charities of
St. Paul and Minneapolis and Cretin-Derham Hall High School, among
others.

The Hennepin Healthcare Foundation, which raises money for the
Minneapolis-based health system, also was hit by the breach. But a
July 22 letter about the breach says only that the contact and
demographic information of donors to the foundation, plus a history of
past donations and amounts, were compromised.

“We recommend you remain vigilant and be on-guard for any scams or
social engineering attacks that may use previous donations, as a way
of establishing trust and impersonating us or another nonprofit,” the
foundation wrote.

Blackbaud, which bills itself the world’s leading cloud-storage firm
for charities, discovered in May that a computer hacker outside the
company had gained the ability to log into an internal data-center
server and download files as early as February.

Blackbaud declined to comment to the Star Tribune, but it did send a
link to an article about the hack. Although the attack did not
penetrate Blackbaud’s cloud-computing operations, the hacker
downloaded a “subset” of data before the intrusion was blocked,
according to a story in the Nonprofit Times, which interviewed several
Blackbaud officials.

After cutting off access, Blackbaud paid an undisclosed ransom to the
attacker in exchange for “confirmation that the copy they removed had
been destroyed,” Blackbaud’s official statement on the incident says.
It says no credit card information, bank account information or Social
Security numbers were stolen.

The cyberattack that began with undetected unauthorized access on Feb.
7 was over by June 3, but communications about the ransom to destroy
the downloaded files continued throughout June. By June 25, Blackbaud
got an official report from its independent forensic investigator that
allowed it to start to pinpoint which organizations’ information was
affected.

Like the letter from Hennepin Healthcare, the letter from Children’s
Minnesota says those affected should be on the lookout for fraud, such
as charges for services that were never given.

Blackbaud didn’t say why hospitals are advising patients and donors to
watch for suspicious activity if there was no indication that the data
would be misused. Blackbaud’s e-mail said it would not comment beyond
a statement on its website, “out of respect to the privacy for our
customers.”

Some question why hospitals are sharing patient data with a
third-party working on fundraising.

Even though health care providers typically require patients or
guardians to sign paperwork acknowledging medical data may be shared
with outside parties, some patients don’t think a charitable
foundation needs access to medical records.

“I’m consenting for doctors to do with whatever they need to do, but
not the medical data and history of my child to go to a third party so
they can market to me for fundraising campaigns,” said Matt Berg of
Minneapolis who got one of the letters this week. His child has been
treated at Children’s Minnesota in the past.

A spokeswoman for Children’s Minnesota said in an e-mail Wednesday
morning that it’s common for not-for-profit health care systems to
track past patient interactions for fundraising.

“Often, people choose to make a donation to our foundation after they
or a loved one has received care at one of our facilities. We track a
limited amount of information in the Blackbaud database so, for
example, we are able to identify which clinician or department a
family has interacted with in the event they would like to direct
their gift to a specific program,” the Children’s spokeswoman said.