Notice to Our Patients of Blackbaud Data Security Incident
The Guthrie Clinic (“Guthrie”) is committed to protecting the security and privacy of our patients and those who support us. Regrettably, we recently learned of an incident that occurred at one of our vendors, Blackbaud, Inc. (“Blackbaud”), that may have involved some information relating to some of our patients.
Blackbaud is a vendor that provides Guthrie with cloud-based and data solution services related to our philanthropic activities. On July 16, 2020, Blackbaud informed us it had discovered that an unauthorized individual had gained access to Blackbaud’s systems between February 7 and May 20, 2020. Blackbaud advised us that the unauthorized individual may have acquired backup copies of databases used by its customers, including a backup of the database Guthrie uses for fundraising efforts. We immediately took steps to understand the extent of the incident and the data involved.
Based on our review of the affected database, we have reason to believe that it contained patient names, contact information, age, gender, dates of treatment, departments of service, treating physicians, and health insurance status.
Importantly, Blackbaud has informed us that financial and credit card account information was encrypted, and therefore not accessed by the unauthorized individual. Social Security numbers were not in the data shared with Blackbaud. Also, this incident did not involve any access to patient diagnosis or treatment plans in any Guthrie medical systems or electronic health records.
We want our patients to know that we are taking this matter very seriously. We mailed letters regarding the incident to those whose information was contained in the Blackbaud database beginning September 8, 2020. We have also established a dedicated call center to answer any questions about this incident, which may be contacted at 1-877-547-0582, from 8:00 a.m. to 5:30 p.m. Central, Monday through Friday, excluding major U.S. holidays.
If you believe you are affected, we recommend you review the statements you receive from your healthcare providers. If you see services you did not receive, please contact the provider immediately.
We value the trust you have placed in us and apologize for any concern or inconvenience this incident may cause. To reduce the likelihood of any repeat occurrence, we are examining our vendor relationship with Blackbaud and evaluating their security safeguards.
Blackbaud, an international vendor specializing in philanthropy services for not-for-profits, experienced a cyber security incident earlier this year, affecting organizations worldwide, including Guthrie. Blackbaud informed Guthrie on July 16, 2020, that an unauthorized individual(s) had gained access to Blackbaud’s systems between February 7 and May 20, 2020, and a backup file containing Guthrie information may have been part of the data acquired by the unauthorized persons. Guthrie immediately took steps to understand the extent of the incident and the data involved.
What personal information may have been affected?
Based on a thorough investigation, it is believed that the backup file that was acquired contained information pertaining to some Guthrie patients, including patient name(s), contact information, age, gender, date(s) of treatment, department(s) of service, treating physician(s), and health insurance status.
Importantly, Blackbaud has informed Guthrie that financial and credit card account information were encrypted, and therefore not accessed by the unauthorized individual. Social Security numbers were not in the data shared with Blackbaud. Also, this incident did not involve any access to diagnosis or treatment plans in any Guthrie medical systems or electronic health records.
How could something like this have happened?
This incident did not affect any of Guthrie’s systems. Rather, the incident occurred at its third-party vendor, Blackbaud, which informed Guthrie that it has taken steps to remediate the issue.
What have you done to keep something like this from happening again?
Guthrie remains committed to protecting the confidentiality and security of personal information. In response to the incident, we are reviewing how information is stored with third party vendors and re-evaluating our relationship with Blackbaud.
What can I do/What should I do now?
It is always a good idea to review statements you receive from your healthcare provider. If you see any services you did not receive or transactions you do not recognize, you should contact the provider that issued the statement immediately.