Cyber Incident Victim: Bon Secours St. Francis Health System

In September 2020, Roper St. Francis Healthcare (RSFH) notified approximately 93,000 patients of a data security breach involving third-party vendor Blackbaud’s systems. Blackbaud alerted RSFH on July 31, 2020, that an unauthorized party had gained access to its systems between February 7 and May 20, 2020. The breach specifically involved a backup copy of the database managing fundraising information for Roper St. Francis Foundations. RSFH clarified that the incident did not compromise medical systems, electronic health records, or primary patient care infrastructure. The accessed fundraising database contained non-medical information including patient names, ages, genders, dates of birth, physical addresses, dates of treatment, departments of service, and treating physicians. Blackbaud confirmed that encrypted fields containing Social Security numbers, financial account details, and credit card information remained secure and were not accessed during the intrusion.

RSFH established a dedicated call center operational Monday through Friday from 9 a.m. to 6:30 p.m. Eastern Time to address patient inquiries, providing the toll-free number 1-866-938-0447. The healthcare system advised affected individuals to review statements from their healthcare providers for discrepancies and to contact providers immediately if they identified services not received. Internally, RSFH initiated a review of third-party vendor data storage practices and began re-evaluating its contractual relationship with Blackbaud to prevent future incidents. No evidence suggested misuse of the exposed data at the time of disclosure. The breach notification emphasized the limited scope of the compromise to fundraising records and reiterated that clinical operations remained unaffected throughout the event.