Cyber Incident Victim: Inova Health Systems

Inova Health Systems experienced a data breach stemming from a ransomware attack targeting its third-party vendor, Blackbaud, which provided fundraising support services. Between February 7 and May 20, 2020, attackers infiltrated Blackbaud's systems and exfiltrated data containing personally identifiable information (PII) belonging to Inova's patients and donors. The attackers attempted but failed to encrypt significant portions of Blackbaud's data during the ransomware incident. Blackbaud subsequently paid an undisclosed ransom to the threat actors in exchange for their promise to destroy the stolen data, claiming the attackers fulfilled this destruction demand. The compromised information did not include Social Security numbers or financial payment details, limiting but not eliminating potential risks to affected individuals.

Inova notified its customers about the breach after Blackbaud disclosed the incident, confirming the exposure of donor and patient PII through the vendor's compromised infrastructure. Blackbaud asserted it had identified and remediated the specific vulnerability exploited in the attack, declaring its systems secure post-remediation. The breach's impact centered on privacy concerns for individuals whose PII was accessed, though no direct misuse of data was reported at the time of disclosure. No disruptions to Inova's healthcare operations or direct compromises of its internal systems were indicated, as the incident remained confined to Blackbaud's environment. The delayed public notification aligned with Blackbaud's investigation timeline, which concluded months after the initial February intrusion.