Cyber Incident Victim: Sisters of Charity Health System

The Sisters of Charity Health System (SCHS) disclosed a data breach in 2020 stemming from a cyberattack on its third-party cloud service provider, Blackbaud. Blackbaud notified SCHS on July 16, 2020, that an unauthorized individual had accessed its systems between February 7 and May 20, 2020, potentially acquiring backup copies of databases used by SCHS for fundraising. The compromised databases contained information from multiple SCHS entities, including Mercy Medical Center, Providence Hospitals, St. Vincent Charity Medical Center, and several affiliated community service organizations. Exposed data included patients' names, gender, dates of birth, contact information, and treating physicians' details, along with organizational relationship information such as donation histories, volunteer service records, and employment data if applicable. SCHS clarified that the breach exclusively affected constituent and donor databases, with no evidence of access to medical systems, protected health records, or encrypted sensitive information like Social Security numbers, credit card details, or financial account data.

In response to the incident, SCHS notified affected patients via email and established a dedicated customer service line to address inquiries. The health system emphasized that Blackbaud had paid a ransom to ensure the deletion of stolen data, though it advised vigilance against potential phishing attempts via email, text, or phone calls. The breach notification occurred months after Blackbaud’s initial discovery, with SCHS publicly confirming the incident in October 2020. No operational disruptions to medical services or additional unauthorized activities beyond the Blackbaud system compromise were reported. The incident exclusively involved third-party systems managed for fundraising purposes, with no indication that SCHS’s internal networks or primary healthcare infrastructure were directly targeted or compromised during the attack.