Cyber Incident Victim: Guthrie Clinic
Date:
Jul 2020
Location:
United States of America
Summary
A healthcare provider notified federal regulators of a data breach impacting over 92,000 patients stemming from a ransomware attack targeting a third-party vendor. The incident compromised protected health information including patient names, contact details, age, gender, treatment dates, service departments, treating physicians, and insurance status. The organization confirmed no medical records, diagnoses, financial account data, Social Security numbers, or passwords were accessed during the attack. The breach originated from the vendor's systems and did not involve unauthorized entry into the provider's own medical networks or electronic health records. Federal authorities are investigating the incident.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
On July 16, 2020, The Guthrie Clinic became aware that Blackbaud, Inc., a third-party service provider, had experienced a ransomware attack impacting patient data stored within Blackbaud's systems. Guthrie initiated an investigation to determine the scope of the breach affecting its patients. The clinic confirmed that the incident did not involve unauthorized access to its internal medical systems, electronic health records, or diagnostic and treatment information. On September 9, 2020, Guthrie formally notified the U.S. Department of Health & Human Services Office for Civil Rights (OCR) of the breach, reporting that approximately 92,064 patients were affected. The OCR opened an investigation into the incident following this notification. Guthrie clarified that the compromised data resided exclusively within Blackbaud's environment and stressed that critical financial and authentication information—including Social Security numbers, credit card details, bank account information, and passwords—remained unaffected by the breach.
The exposed information was limited to demographic and administrative healthcare data: patient names, contact details, ages, genders, dates of treatment, departments where services were rendered, names of treating physicians, and health insurance status. Guthrie issued a public notification describing the nature of the breach and the specific data categories involved, aiming to inform affected individuals while reiterating that no clinical or financial records were accessed. The clinic emphasized its reliance on Blackbaud’s systems for storing this non-clinical data and acknowledged the third party’s role in the security failure. No evidence suggested misuse of the compromised data, but Guthrie did not disclose whether it implemented additional monitoring services for impacted patients. The ransomware attack’s operational disruption appeared confined to Blackbaud’s infrastructure, with no reported interruption to Guthrie’s healthcare services or internal IT operations during or after the incident.