Hundreds of thousands of people who sought care at or donated to Brewer, Maine-based Northern Light Health may have had personal data exposed in a massive breach at Blackbaud, the software company that hosts the health system foundation's fundraising databases.
The data breach is linked to a ransomware attack Blackbaud discovered in May.
The data breach affected up to 657,392 people with information included in Northern Light Health Foundation's databases, according to a report the group submitted to HHS' Office for Civil Rights. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update Thursday, although the foundation submitted its report on Aug. 3.
Blackbaud notified Northern Light Health Foundation about the ransomware attack on July 16. HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department.
The cybercriminals who attacked Blackbaud accessed files that contained fundraising information related to donors, possible donors, people who had attended fundraising events and "patients who we believe may want to support our healthcare mission," among other community members, according to a notice Northern Light Health Foundation posted online.
The cybercriminals did not access credit card information, bank account information or Social Security numbers.
Northern Light Health Foundation and Blackbaud did not immediately respond to a request for comment on what types of information were affected in the incident. In its notice, Northern Light Health Foundation said the health system is working with Blackbaud to determine the exact number of people affected and what types of information were accessed.
"We know that learning about a security breach can be unsettling, and we're committed to investigating this incident thoroughly with Blackbaud and ensuring that our fundraising data will continue to be fully protected," Mike Smith, president of Northern Light Health Foundation, said in a statement.
Dozens of healthcare organizations, educational institutions and other not-for-profits in the U.S. and abroad were affected by the ransomware attack at Blackbaud, including the Cancer Research Institute in New York City, Harvard University in Cambridge, Mass., and NPR in Washington, D.C.
Upon discovering the ransomware attack in May, Blackbaud has said its security team was able to block the cybercriminals from fully encrypting files and removed them from the company's information systems; however, before that point, the cybercriminals had already taken a copy of some of the company's data.
Blackbaud paid a ransom demand to the cybercriminals, who in exchange destroyed the data copy, according to a notice describing the incident that Blackbaud posted online. Blackbaud did not immediately respond to a request for comment on how much it paid the cybercriminals.