Blackbaud in July notified Trinity Health about the cyberattack, which affected data held in some donor database back-up files maintained by the company.
That possibly exposed patient information including demographic data like names, addresses, dates of birth and ages, as well as such clinical data as inpatient-outpatient status, dates of service, hospital location, physician name, discharge status, name of insurance and department of service, according to a notice Trinity Health posted online.
"After a patient receives care at a Trinity Health ministry, our philanthropy teams reach out with the opportunity to express gratitude in honor of their care teams," the system wrote in an update on its website, noting data like date of last service helps to ensure patients aren't contacted too soon after care and physician names are used if a patient wants to send a thank you note.
Information in the database spans 2000 to 2020.
Hospitals have varied in what data was held in Blackbaud's systems.
"It's not unusual for foundations to solicit patients for donations," said Drex DeFord, healthcare executive strategist at cybersecurity consulting firm CI Security and former health system chief information officer. But how much information is collected "specific to the patient and their disease, where they were treated, and who the doctors were, I think probably varies widely."
It's a particularly bad time for a breach of fundraising systems, he said, since hospitals have lost revenue amid COVID-19.
"Healthcare organizations (and) not-for-profits rely on donors now more than ever," DeFord said. "This is exactly the wrong time to see a donor database compromised and those donors then starting to second guess whether or not they should give money."
Upon discovering the ransomware attack in May, Blackbaud said its security team was able to block the cybercriminals from fully encrypting files and removed them from the company's information systems; however, before that point, the cybercriminals had already taken a copy of some of the company's data.
Blackbaud paid a ransom demand to the cybercriminals, who in exchange destroyed the data copy, according to a notice describing the incident that Blackbaud posted online.
Paying a hacker's ransom demand is discouraged by cybersecurity experts, including the Federal Bureau of Investigation, who say the practice can enable future criminal activity.
The federal government in early October took another step to try to stop organizations from paying ransoms, with the Treasury Department issuing an advisory that companies that facilitate ransomware payments—such as cyber insurance firms and incident response groups—could face fines for violating regulations from the department's Office of Foreign Assets Control.
As of Wednesday, HHS' Office for Civil Rights posted 82 data breach reports that healthcare providers, insurers and their business associates had submitted to the agency in September. That's the highest number of data breaches reported in a single month since OCR began tracking healthcare data breaches in 2010.
In total, the 82 data breaches reported in September compromised data on a collective 9.2 million patients.
July 2019, which held the previous record for data breaches reported in a single month, encompassed 59 data breaches that exposed data on 26.7 million patients.