Thousands of MN hospital patients' information possibly exposed in data breach

A vendor four Minnesota hospitals use for their foundations experienced a ransomware attack in July.
Publish date:

Information about patients at several Minnesota hospitals may have been exposed in a data breach involving a third-party vendor they all use.

Children's Hospitals and Clinics of Minnesota sent a letter to families who may have been impacted by the data breach, informing them that a variety of personal information may have been involved in the breach at Blackbaud, Inc., earlier this year. 

Patients' Social Security Numbers were not revealed, according to the letter, but Children's Minnesota recommends people review any statements they've received from their healthcare providers and if something doesn't seem right, they should contact their provider right away, a news release says. 

Three other health care providers in the state – Allina Health, Regions Hospital and Gillette Children's Specialty Healthcare – have also mailed letters this month to impacted families about the breach, the Star Tribune reports.

All the hospitals use Blackbaud, Inc. for their charitable foundations.

In Minnesota, 160,268 people who received care at Children's Minnesota may have been impacted by the breach, according to records by the federal Office for Civil Rights, making it the second-largest health data breach ever in the state. The largest exposed information about more than 1 million people when Optum360's network server was hacked, the records show.

The Star Tribune says 52,795 patients at Regions Hospital in St. Paul were impacted. The number of people impacted at Allina and Gillette hasn't been shared. 

According to Blackbaud's website, it provides software solutions for faith communities, foundations, K-12 schools, nonprofits and others. Other children's hospitals and health care systems around the country recently informed patients of the breach as well, media reports show.

In total, more than 3 million people across the country were impacted by the breach, the Star Tribune says. 

Children's Minnesota said Blackbaud informed it in July that an "unauthorized individual" accessed its systems between Feb. 7 and May 20 of this year. In doing so, they may have gotten backup copies of a database the foundation uses for fundraising efforts, which had information that includes patient's full names, addresses, phone numbers, ages, dates of birth, genders, medical record numbers, dates of treatment, locations of treatment, names of doctors and health insurance status. 

Social Security Numbers are not part of the information the foundation stores on Blackbaud, so they were not exposed during the incident, Children's Minnesota says. The breach also does not involve "any access to our medical systems or electronic health records."

Blackbaud said in a July news release that it stopped a ransomware attack, but prior to "locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment."

"Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly," the release said. 

Children's Minnesota says it takes this incident "very seriously" and it is evaluating its arrangement with Blackbaud and its security safeguards to help prevent something like this from happening again. 

BMTN has reached out to the other hospitals for comment. 

Next Up