Cyber Incident Victim: Epilepsy Florida

Epilepsy Florida's data security incident stemmed from a third-party breach involving Blackbaud, a cloud software provider. The organization publicly disclosed that patient information was compromised as part of the widespread Blackbaud ransomware attack that occurred in 2020. While the exact discovery date by Epilepsy Florida remains unspecified in available reports, the disclosure timeline indicates awareness emerged during the broader aftermath of Blackbaud's breach notification process. The incident involved unauthorized access to Blackbaud's systems, which hosted Epilepsy Florida's patient data as part of their service arrangement. Blackbaud paid the ransomware attackers to destroy copies of stolen data, though the company acknowledged it had no guarantee all data copies were eradicated.

In their substitute breach notice, Epilepsy Florida outlined the types of potentially compromised information and provided a chronology of events related to the Blackbaud incident. The organization did not specify the number of affected individuals in publicly available documentation referenced by media reports. Response actions included issuing notifications to inform patients about their potential exposure through the third-party breach. No evidence exists in source materials regarding system containment measures taken directly by Epilepsy Florida, as the breach originated within Blackbaud's infrastructure rather than the nonprofit's own systems. The organization directed concerned individuals to review their substitute notice for additional details about the incident's scope and timeline.