Cyber Incident Victim: Roper St. Francis Healthcare

Roper St. Francis Healthcare (RSFH) experienced a data security breach involving its third-party vendor Blackbaud, which managed fundraising information for the healthcare system. Blackbaud notified RSFH on July 31, 2020, that an unauthorized party had accessed its systems between February 7 and May 20, 2020. The attackers potentially acquired a backup copy of the fundraising database maintained by Roper St. Francis Foundations. This incident affected approximately 93,000 patients whose information was stored in the compromised database. The breached data included patients' names, ages, genders, dates of birth, addresses, dates of treatment, departments of service, and treating physicians. Blackbaud confirmed that encrypted fields containing Social Security numbers, financial account details, and credit card information remained inaccessible to the attackers. RSFH emphasized that medical systems and electronic health records were not involved in the breach, limiting exposure to fundraising-related data.

Following notification from Blackbaud, RSFH initiated a patient notification process and established a dedicated call center operational Monday through Friday to address inquiries. The healthcare provider advised affected individuals to review statements from their healthcare providers for discrepancies and report unrecognized services immediately. Internally, RSFH launched a review of its data storage practices with third-party vendors and began re-evaluating its business relationship with Blackbaud. The breach did not disrupt clinical operations or compromise medical treatment systems, but it exposed non-medical patient information that could be exploited for identity theft or phishing attempts. No evidence suggested misuse of the accessed data at the time of disclosure, though the incident highlighted risks associated with third-party vendor management in healthcare data ecosystems.