Cyber Incident Victim: OSF HealthCare
Date:
Aug 2020
Location:
United States of America
Summary
OSF Healthcare notified patients of a data breach stemming from a ransomware attack on Blackbaud, a third-party service provider, which compromised sensitive information including names, contact details, dates of birth, treatment locations, physician names, service departments, room numbers, and medical record numbers. The Illinois- and Michigan-based healthcare system confirmed its affected database contained patient data but did not disclose the total number of impacted individuals. The incident, part of a broader compromise affecting over 10 million patients across multiple organizations, exposed information stored within Blackbaud's systems without specifying the attack's duration or initial notification timeline.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
OSF HealthCare System, a not-for-profit Catholic health care organization operating hospitals and medical facilities across Illinois and Michigan, became involved in a widespread data security incident stemming from a ransomware attack against Blackbaud, one of its third-party service providers. The organization began mailing notification letters to affected patients in October 2020 after completing its investigation into the breach. On August 20, 2020, OSF confirmed through analysis of the compromised Blackbaud database that patient information had been exposed, including names, addresses, phone numbers, email addresses, dates of birth, treatment facility details, treating physician names, service departments, room numbers, and medical record numbers. The health system did not disclose when Blackbaud initially alerted them to the incident or the specific timeframe during which unauthorized actors accessed the data. With over 23,600 employees operating across 147 locations including 14 hospitals and two nursing colleges, OSF's breach notification indicated potential exposure of sensitive health care information across its extensive service network.
The Blackbaud ransomware incident impacted numerous organizations globally, with OSF confirming its status among more than 10 million affected individuals across various institutions. While OSF's public notice did not specify the exact number of impacted patients within its system, the organization acknowledged the incident would likely appear in official reporting through the U.S. Department of Health and Human Services' public breach tool. No evidence suggested financial account information or Social Security numbers were compromised in OSF's case, differentiating its exposure from some other Blackbaud-affected entities. As a regional health care provider headquartered in Peoria, Illinois, OSF's response focused on notifying patients without implementing credit monitoring services, as their assessment determined the stolen data did not include sufficient information for direct financial fraud. The breach highlighted third-party risks for health care systems relying on external vendors to manage sensitive patient data.