Thousands of MN hospital patients' information possibly exposed in data breach

A vendor four Minnesota hospitals use for their foundations experienced a ransomware attack in July.
Publish date:

Information about patients at several Minnesota hospitals may have been exposed in a data breach involving a third-party vendor they all use.

Children's Hospitals and Clinics of Minnesota sent a letter to families who may have been impacted by the data breach, informing them that a variety of personal information may have been involved in the breach at Blackbaud, Inc., earlier this year. 

Patients' Social Security Numbers were not revealed, according to the letter, but Children's Minnesota recommends people review any statements they've received from their healthcare providers and if something doesn't seem right, they should contact their provider right away, a news release says. 

Three other health care providers in the state – Allina Health, Regions Hospital and Gillette Children's Specialty Healthcare – have also mailed letters this month to impacted families about the breach, the Star Tribune reports.

All the hospitals use Blackbaud, Inc. for their charitable foundations.

In Minnesota, 160,268 people who received care at Children's Minnesota may have been impacted by the breach, according to records by the federal Office for Civil Rights, making it the second-largest health data breach ever in the state. The largest exposed information about more than 1 million people when Optum360's network server was hacked, the records show.

The Star Tribune says 52,795 patients at Regions Hospital in St. Paul were impacted. The number of people impacted at Allina and Gillette hasn't been shared. 

According to Blackbaud's website, it provides software solutions for faith communities, foundations, K-12 schools, nonprofits and others. Other children's hospitals and health care systems around the country recently informed patients of the breach as well, media reports show.

In total, more than 3 million people across the country were impacted by the breach, the Star Tribune says. 

Children's Minnesota said Blackbaud informed it in July that an "unauthorized individual" accessed its systems between Feb. 7 and May 20 of this year. In doing so, they may have gotten backup copies of a database the foundation uses for fundraising efforts, which had information that includes patient's full names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status. 

Social Security Numbers are not part of the information the foundation stores on Blackbaud, so they were not exposed during the incident, Children's Minnesota says. The breach also does not involve "any access to our medical systems or electronic health records."

Blackbaud said in a July news release that it stopped a ransomware attack, but prior to "locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment."

"Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly," the release said. 

Children's Minnesota says it takes this incident "very seriously" and it is evaluating its arrangement with Blackbaud and its security safeguards to help prevent something like this from happening again. 

BMTN has reached out to the other hospitals for comment. 

Next Up

coronavirus, masks, covid-19

Wisconsin Republicans aim to end governor's mask mandate

They've introduced a resolution to remove the governor's emergency powers.

Ted Schweich

Community group hopes to install billboard to get neighbor a kidney

A group called "Team Ted" aims to raise $5,000 to find their friend a kidney donor.

Andrew Palmer

Charges: Coach raped teenage girl on Minnesota basketball team

The 33-year-old head coach has been charged in connection to the alleged crimes.

radio station, microphone

WCCO Radio's program director leaves the company

It's not clear why John Hanson and the station parted ways.

Minneapolis skyline

Minneapolis a step closer to banning facial recognition technology

There are concerns about it leading to a surveillance state, and that it could harm disadvantaged communities.

covid-19, coronavirus, PPE

Here is Minnesota's COVID-19 update for Friday, January 22

Nearly 50,000 Minnesotans have received both doses of the COVID-19 vaccine.

police lights

Police recover more than 14 pounds of meth, 4,000 pills during drug bust

Three people have been arrested and charged in connection to the drugs.

Gopher hockey

Gophers respond to drop in rankings with 10-goal outburst

It had been 17 years since the Gophers last scored 10 goals in a game.


Winter storm watch issued where snow could exceed 6 inches in MN

Snow will spread from west to east starting Saturday morning in western Minnesota.


Data breach at MN health provider may have left 50,000 patients exposed

Alomere Health in Alexandria informed patients last week.

Payment information accessed in Delta data breach

Delta says a 3rd party company was breached in the fall.

Dunn brothers

Data breach impacts card users at Dunn Bros., Sebastian Joe's

A Minnesota company that provides point-of-sale services has confirmed a breach.