Inova Health System in Falls Church, Va., is the latest health system to notify patients and donors that some of their personal data may have been exposed in a ransomware attack at software company Blackbaud.
The data breach affected up to 1,045,270 patients, according to a report that Inova submitted to HHS' Office for Civil Rights on Wednesday. The HHS agency publicly posted the report to its online database of healthcare data breaches in an update Thursday.
Blackbaud notified Inova about the ransomware attack on July 16. HHS gives HIPAA-covered entities 60 days from when they discover a data breach to notify the department.
The hackers who attacked Blackbaud "intermittently" removed data—including some information that the company maintained for Inova—from Blackbaud's systems between February and May, according to a notice that Inova posted online. Inova on Aug. 10 determined that data removed by the hackers may have included names, addresses, dates of birth, dates of service, hospital departments, and donation dates and amounts.
Blackbaud has said the hacker destroyed data it removed from the company's systems.
The data breach did not affect Social Security numbers, financial account information or payment card information, according to Inova.
"Inova takes the security of personal information very seriously," an Inova spokesperson said in an emailed statement. "Blackbaud has assured us that they closed the vulnerability that allowed the incident, and that they are enhancing their security controls and conducting ongoing efforts against incidents like this in the future."
Upon discovering the ransomware attack in May, Blackbaud said its security team was able to block the cybercriminals from fully encrypting files and removed them from the company's information systems; however, before that point, the cybercriminals had already taken a copy of some of the company's data.
Blackbaud paid a ransom demand to the cybercriminals, who in exchange destroyed the data copy, according to a notice that Blackbaud posted online. Blackbaud's investigation to date has found no evidence to suggest that information compromised in the data breach has been misused, the company said.
Dozens of healthcare organizations, educational institutions and other not-for-profits in the U.S. and abroad were affected by the cyberattack at Blackbaud; the two largest healthcare data breaches reported to OCR last month—which affected 657,392 and 360,212 patients, respectively—were both tied to the incident.
NorthShore University HealthSystem in Evanston, Ill., earlier in September said an estimated 348,000 patients may have had personal information compromised in the Blackbaud attack.