Cyber Incident Victim: Atrium Health
Date:
Feb 2020
Location:
United States of America
Summary
A North Carolina health system experienced a data breach when cybercriminals targeted its donor management software vendor, compromising patient and donor information including names, birth dates, contact details, treatment locations, physician names, donation histories, and guarantor relationships. The incident did not involve medical records, financial data, Social Security numbers, or clinical information such as medications or test results. The vendor contained the attack by locking unauthorized actors out of its systems and engaged a monitoring firm to detect potential misuse of stolen data, with no evidence of ongoing exploitation found. The health system reviewed its security protocols and vendor relationships following the breach while offering a dedicated contact line for affected individuals.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In May 2020, Blackbaud—a donor management software vendor used by Atrium Health—experienced a ransomware attack that compromised patient and donor data. The breach occurred between February 7 and May 20, with Blackbaud detecting unauthorized system access on May 14 and subsequently locking the attackers out. Atrium Health was notified of the incident by Blackbaud on July 16, 2020. The compromised data included names, birth dates, home addresses, phone numbers, email addresses, internal patient ID numbers, treatment dates and locations, physician names, guarantor information, and decedent status. For minors, the stolen information included guarantor names and relationships. Patients who made donations also had donation dates and amounts exposed. Atrium confirmed the specific data elements involved on August 12 after investigation. No medical records, prognosis details, medication information, test results, Social Security numbers, credit card data, or bank account information were accessed, as Blackbaud never had access to these categories.
Atrium Health began notifying affected patients and donors in late August and early September 2020, establishing a dedicated call center for inquiries. Blackbaud engaged a third-party firm to monitor for misuse of stolen data, with no evidence of ongoing exploitation found as of Atrium's September 8 public notice. The health system initiated a security safeguards review and reevaluated its relationship with Blackbaud while emphasizing that the vendor's systems—not Atrium's—were compromised. Despite the absence of observed misuse, Atrium acknowledged concerns about the breach's scope and unresolved questions regarding its implications. North Carolina's Attorney General had previously reported record data breaches statewide in 2019, providing context for heightened scrutiny of such incidents. Atrium's public communications included website notices and individualized letters to impacted parties, apologizing for the vendor's security failure while maintaining that no financial or clinical systems were involved.