Cyber Incident Victim: Rady Children's Hospital
Date:
Oct 2020
Location:
United States of America
Summary
Rady Children’s Hospital experienced a data breach involving patient information due to a ransomware incident affecting third-party vendor Blackbaud. Compromised files contained personal details such as names, addresses, treating physicians, service departments, procedure names, and dates of birth. The hospital did not disclose the number of impacted individuals, and the incident had not yet appeared in federal breach disclosures at the time of reporting.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Rady Children’s Hospital disclosed a data breach involving patient information on or around October 30, 2020, stemming from a third-party incident involving Blackbaud, a cloud software provider. The breach occurred earlier in 2020 when Blackbaud suffered a ransomware attack that compromised files containing hospital patient data. According to the hospital’s disclosure, the affected files included personal information such as patient names, addresses, treating physicians’ names, departments of service, medical procedure names, and dates of birth. The hospital did not specify the exact number of patients impacted by the breach, nor did it confirm whether financial or medical record data, such as Social Security numbers or diagnostic details, were exposed. Rady Children’s Hospital characterized the incident as part of the broader Blackbaud ransomware event, which affected numerous organizations globally. At the time of the hospital’s announcement, the incident had not yet appeared in the U.S. Department of Health and Human Services’ public breach reporting tool, which tracks disclosures affecting 500 or more individuals. No further technical details about the attack vector, ransomware variant, or Blackbaud’s specific security failures were provided in the hospital’s public statement.
The breach exposed patients to potential risks of identity theft, phishing attempts, and fraud due to the compromise of personally identifiable information (PII). Rady Children’s Hospital stated it had notified affected individuals but did not describe any specific remediation measures offered to them, such as credit monitoring or identity restoration services. The hospital’s disclosure emphasized that the breached data did not include credit card information, bank account details, or login credentials, though it did not clarify whether Blackbaud had paid a ransom or recovered the data. The incident highlighted supply-chain vulnerabilities in healthcare systems, as the breach originated from a vendor rather than the hospital’s direct infrastructure. No operational disruptions to hospital services were reported in connection with the breach. The hospital directed public inquiries to its official communications but did not publish additional technical or forensic findings about the incident’s scope or duration.