Cyber Incident Victim: Ronald McDonald House Charities

In December 2020, Ronald McDonald House Charities (RMHC) discovered a data breach involving guest information managed through third-party software provider Blackbaud. The breach stemmed from a ransomware attack on Blackbaud’s systems earlier in 2020, which compromised a backup database RMHC had previously used for guest services. RMHC became aware of the incident on December 1, 2020, though the initial Blackbaud attack occurred months earlier. The exposed database contained personal details of families staying at RMHC facilities, including names paired with at least one form of government-issued identification—such as driver’s licenses, state IDs, passport numbers, or other official ID numbers. No financial data or medical records were confirmed as exposed in this incident. RMHC emphasized that the breach originated from Blackbaud’s infrastructure, not RMHC’s own systems.

RMHC notified 17,373 affected guests via mailed letters beginning January 14, 2021, over a month after discovering the breach. The charity offered impacted individuals a complimentary one-year subscription to Experian’s IdentityWorks Credit 3B credit monitoring service. In response to the incident, RMHC discontinued its use of Blackbaud for guest services management and initiated a broader review of data storage practices across all third-party vendors. Blackbaud had previously addressed the security vulnerability that led to the ransomware attack, but RMHC undertook additional measures to evaluate ongoing data retention needs with external partners. The breach highlighted risks associated with storing sensitive identification data with third-party providers, though RMHC did not report any direct evidence of misuse of the exposed information.