Blackbaud, the South Carolina-based vendor, notified the health system in July that an unauthorized individual gained access to its systems between Feb. 7 and May 20, Northwestern said in a statement this week.
While the incident was not targeted at Streeterville-based Northwestern, the individual may have accessed information for donors—or patients for whom donations were made—including names, dates of birth and some clinical information, the statement says. With the exception of five people, Social Security numbers, financial accounts and payment information was encrypted and not accessible to the hacker.
“Based on the nature of the incident, our research and third-party—including law enforcement—investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” Blackbaud said in a separate statement, noting all affected customers had been notified and supplied with additional information and resources.
So far this year, 11 data breaches in Illinois have been reported to HHS, which requires notice when protected health information for 500 or more people is exposed.
HIPAA Journal first reported Northwestern was impacted by the Blackbaud breach.