Cyber Incident Victim: Bayhealth Medical Center

In May 2020, Blackbaud, a South Carolina-based cloud computing provider for nonprofit organizations, suffered a ransomware attack that compromised donor and patient data from multiple clients, including Bayhealth, a Delaware healthcare provider. The breach was discovered by Blackbaud in May, though specific intrusion dates were not disclosed. According to Blackbaud’s SEC filing, the attacker potentially accessed unencrypted fields containing sensitive information such as bank account details, Social Security numbers, usernames, and passwords. The incident impacted over 6 million individuals globally. Blackbaud began notifying clients whose highly sensitive data was exposed during the week of September 27, 2020. Bayhealth, operating campuses in Milford and Dover, confirmed that 78,000 patients and donors were affected by the breach but clarified that their compromised data did not include credit card numbers, bank account information, Social Security numbers, medical records, or electronic health systems.

Bayhealth conducted an internal review of the breached Blackbaud database and determined the exposed information was limited to hospitalization-related details such as physician names and hospital service departments, alongside publicly available personal identifiers like names, genders, mailing addresses, email addresses, and phone numbers. The organization issued notification letters to potentially impacted individuals in early November 2020, over five months after Blackbaud detected the incident. Another Delaware healthcare provider, ChristianaCare, separately disclosed in September 2020 that nearly 27,000 patients and donors were affected by the same Blackbaud breach, similarly confirming no financial data or Social Security numbers were compromised in their case. Neither Bayhealth nor ChristianaCare reported evidence of misuse of their exposed data at the time of disclosure.