Cyber Incident Victim: Catholic Health
Date:
Feb 2020
Location:
United States of America
Summary
A ransomware attack targeting Blackbaud Inc., a third-party software provider, compromised patient and donor data associated with Catholic Health facilities. The breach exposed patient names, medical service numbers, and treatment dates spanning multiple years, along with donor lists and limited personal information from the Roswell Park Alliance Foundation. No medical records, Social Security numbers, financial data, addresses, or credit card information were accessed. The unauthorized activity occurred intermittently over several months before being discovered mid-summer. The affected data was maintained as potential donor lists for the healthcare system and its foundations. Catholic Health notified impacted individuals and emphasized ongoing vigilance despite assessing no immediate actionable risk from the exposed information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The ransomware attack targeting Blackbaud Inc., a national software provider serving nonprofit organizations, compromised patient and donor data associated with Catholic Health facilities and the Roswell Park Alliance Foundation between February and May 2020. Hackers intermittently accessed Blackbaud's systems during this four-month period, exfiltrating a Catholic Health database containing names, medical service numbers, and dates of service for patients treated between 2016 and May 2020. This database functioned as a potential donor list for Catholic Health and its affiliated foundations. Simultaneously, attackers stole donor lists and some personal information from Roswell Park's records managed by Blackbaud, though financial details remained unaffected. Catholic Health discovered the breach in mid-July 2020 through Blackbaud's notification, while Roswell Park confirmed its involvement through direct communications with the vendor. Both organizations emphasized that critical identifiers—including Social Security numbers, addresses, bank account information, credit card data, and medical records—were not accessed or exposed during the incident.
Following internal investigations, Catholic Health initiated patient notification procedures in late August 2020, planning to mail letters to all affected individuals within weeks. The health system's corporate compliance officer publicly affirmed their commitment to privacy safeguards while recommending general vigilance against identity theft, despite assessing no immediate requirement for specific corrective actions by patients. Roswell Park similarly notified its donor base about the breach via email communications. Blackbaud paid the ransom demand after the attack, receiving assurances from the threat actors that stolen data had been destroyed, though this claim remained unverifiable. The incident highlighted vulnerabilities in third-party vendor management, as Blackbaud's centralized platforms for over 25,000 nonprofits became a single point of failure impacting healthcare and philanthropic entities simultaneously. Operational disruptions were not disclosed, but the breach necessitated coordinated response efforts between the compromised vendor and its affected clients to assess data exposure and regulatory obligations.