Cyber Incident Victim: SCL Health

SCL Health Medical Group publicly disclosed a data breach impacting patient information on September 10, 2020. The incident originated from a cybersecurity compromise at one of SCL Health’s third-party service providers, Blackbaud Inc., which notified the healthcare organization on July 16, 2020. Blackbaud reported that an unauthorized individual gained access to its systems containing SCL Health patient data during a period spanning February 7 to May 20, 2020. This breach affected patients treated at three Montana hospitals operated by SCL Health: St. Vincent Healthcare in Billings, St. James Healthcare in Butte, and Holy Rosary Healthcare in Miles City. The exposed information included patient names, dates of birth, physical addresses, phone numbers, email addresses, admission dates, hospital locations, specific service locations within facilities, and names of treatment providers. Blackbaud confirmed that encrypted fields containing more sensitive data such as Social Security numbers were not accessed during the intrusion.

SCL Health initiated breach notification procedures approximately eight weeks after receiving Blackbaud’s disclosure, mailing individual letters to all affected patients. The organization established a dedicated call center (866-968-0158) to address patient inquiries regarding the incident. While emphasizing that financial data and Social Security numbers remained protected through encryption, SCL Health advised impacted individuals to remain vigilant in monitoring their personal information. The breach notification did not specify the total number of affected patients across the Montana facilities or describe any operational disruptions to clinical care resulting from the incident. No evidence suggested misuse of the exposed data at the time of disclosure.