Cyber Incident Victim: The Christ Hospital Health Network
Date:
Feb 2020
Location:
United States of America
Summary
A cybersecurity incident at a third-party service provider impacted The Christ Hospital Health Network, involving unauthorized access to patient data during a ransomware attack. The compromised information included names, addresses, dates of birth, contact details, provider names, and hospital departments, but excluded Social Security numbers and financial or payment information. The provider paid the ransom to prevent data dissemination and asserted no evidence of misuse, with ongoing monitoring by external experts. The health network conducted an internal investigation, notified affected individuals, and emphasized enhancements to security practices without confirming any actual misuse of the exposed personal information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The Christ Hospital Health Network (TCHHN) learned on July 16, 2020, that Blackbaud, a third-party software provider handling its fundraising and constituent engagement data, experienced a ransomware incident. Blackbaud reported the attack occurred intermittently between February 7 and May 20, 2020, during which an unauthorized actor accessed and removed data before being stopped. Blackbaud paid the threat actor a ransom in exchange for assurances that the stolen data was permanently destroyed, though no independent verification of this destruction was provided. TCHHN immediately launched an internal investigation with external experts upon notification to assess potential impacts on its patients. The investigation concluded on August 28, 2020, confirming that the compromised Blackbaud systems contained personal information of certain TCHHN patients, including full names, addresses, dates of birth, phone numbers, provider names, and hospital department details. No Social Security numbers, financial account information, payment card data, or electronic health records were affected, as TCHHN’s core medical systems remained isolated from the breach.
Blackbaud asserted no evidence existed that exfiltrated data had been misused, disseminated, or publicly exposed, citing ongoing monitoring by third-party forensic experts. Despite this, TCHHN began notifying affected patients on September 14, 2020, advising precautionary measures such as fraud alerts, credit freezes, and regular review of financial statements for suspicious activity. The hospital established a dedicated toll-free response line staffed by professionals to address patient inquiries and provided a link to Blackbaud’s public statement about the incident. TCHHN emphasized its commitment to enhancing security practices for itself and its third-party partners, though no specific technical or procedural changes were disclosed. The incident stemmed entirely from Blackbaud’s systems, with no indication of vulnerabilities within TCHHN’s infrastructure contributing to the breach. Patient notifications occurred over two months after Blackbaud’s initial disclosure, reflecting the time required for TCHHN’s internal investigation to confirm the scope and impacted individuals.