Minnesota’s second-largest health care data breach hits Children’s, other providers | #Databreach | Pentest | #Hacker


The parents of tens of thousands of patients of Children’s Minnesota hospitals are being told to watch their medical bills for signs of fraud in the wake of the second-largest health care data breach in state history.

Patients from at least four different health care providers in the state — Children’s, Allina Health, Regions Hospital and Gillette Children’s Specialty Healthcare — have been getting notifications in the mail this month saying their or their children’s data may have been pilfered at an outside company called Blackbaud that works for the hospitals’ charitable foundations. Nationally, more than 3 million people are affected by the breach, which Blackbaud discovered in May.

Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities, is notifying more than 160,000 families that the data breach at South Carolina-based Blackbaud allowed hackers to obtain copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud-computing systems.

That alone constitutes the second-largest health data breach in the state, according to records maintained by the federal Office for Civil Rights. On Wednesday morning, a spokesman for Regions Hospital in St. Paul confirmed that notification letters are being sent to 52,795 of its patients. It’s not yet clear how many patients from Allina or Gillette are affected.

Also in Minnesota, Minneapolis-based bone-marrow transplant registry company Be The Match is notifying patients of the breach.

The largest health care data breach reported by a Minnesota company happened last year, when Optum360 — a division of Minnetonka-based insurer and services provider UnitedHealth Group — disclosed that records on 11.5 million people were exposed. Most of those records did not involve Minnesotans. Rather, Optum360 had contracted with a now-bankrupt outside firm called American Medical Collection Agency, whose computers were breached. Optum itself had been working for Quest Diagnostics, which provided health and financial data on patients who were being sent to collections.

Across the nation, dozens of charities and hospitals whose data was stored on Blackbaud computers have reported breaches to more than 3.4 million donors and patients, according to a tally compiled by an independent researcher at the website, www.databreaches.net.

“The Blackbaud breach is likely to be the biggest or one of the biggest breaches involving patient information in 2020,” wrote “Dissent,” a blogger at databreaches.net who is also a health care provider and has posted about health-data breaches since 2008.

The incident was not limited to health care. In July, charitable organizations around Minnesota began e-mailing donors about the breach, including Feed My Starving Children, Catholic Charities of St. Paul and Minneapolis and Cretin-Derham Hall High School. The Pioneer Press reported that Dodge Nature Center and Preschool in West St. Paul also was affected.

The Hennepin Healthcare Foundation, which raises money for the Minneapolis-based health system, was hit by the breach. But the July 22 letter about the breach says only that the contact and demographic information of donors to the foundation, plus a history of past donations and amounts, were breached.

“We recommend you remain vigilant and be on-guard for any scams or social engineering attacks that may use previous donations, as a way of establishing trust and impersonating us or another nonprofit,” the Hennepin Healthcare letter said. “Please contact us immediately if you are suspicious someone is using your support of Hennepin Healthcare to leverage additional personal information or donations.”

Blackbaud, the world’s leading cloud-software firm for charities, discovered in May that a computer hacker outside the company had gained the ability to log into an internal data-center server and download files. Although the attack did not penetrate Blackbaud’s cloud-computing operations, the hacker did download a “subset” of data before the intrusion was blocked, according to a narrative published by The Nonprofit Times, which interviewed several Blackbaud officials.

After cutting off access, Blackbaud paid an undisclosed ransom to the attacker in exchange for “confirmation that the copy they removed had been destroyed,” Blackbaud’s official statement on the incident says. No credit card information, bank account information, or Social Security numbers were stolen, according to the company.

Blackbaud says it has “no reason” to believe data compromised as part of the ransomware attack will ever be misused or disseminated publicly.

“Their motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure,” the company said.

Like the letter from Hennepin Healthcare, the letter from Children’s Minnesota says those affected should be on the lookout for signs that could indicate potential fraud, such as charges for services that were never given.

Blackbaud didn’t respond to why hospitals are advising patients and donors to watch for suspicious medical charges following the breach if there was no indication that the data would be misused. Blackbaud’s e-mail said it would not comment beyond a statement on its website, “out of respect to the privacy for our customers.”

The letter from Children’s Minnesota says the exposed data likely included the pediatric patient’s full name, date of birth, address, phone number, age, gender, medical record number, dates and locations of treatment, names of treating doctors and insurance status.

Some people getting the health care-related breach letters say they don’t understand why hospitals are sharing patient data with a third-party working on fundraising.

Even though health care providers typically require patients or guardians to sign paperwork acknowledging medical data may be shared with outside parties, it’s unclear why a charitable foundation that doesn’t directly provide healthcare needs access to information from patient medical records.

“I’m consenting for doctors to do with whatever they need to do, but not the medical data and history of my child to go to a third party so they can market to me for fundraising campaigns,” said Matt Berg of Minneapolis, who got one of the letters this week. His child has gone to Children’s Minnesota in the past.

A spokeswoman for Children’s Minnesota said in an e-mail Wednesday morning that it’s common for not-for-profit health care systems to track past patient interactions for fundraising.

“Often, people choose to make a donation to our foundation after they or a loved one has received care at one of our facilities. We track a limited amount of information in the Blackbaud database so, for example, we are able to identify which clinician or department a family has interacted with in the event they would like to direct their gift to a specific program,” the Children’s spokeswoman said.

 

rn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/limit-signup-optimizely/start"},{"id":"limit-signup","count":12,"action":"ignore","mute":true,"action_config":{"template":"{% extends "grid" %}rnrn{% block heading_text %}Youu2019ve read your 10 free articles for this 30 day period. Sign up now for local coverage you wonu2019t find anywhere else, special sections and your favorite columnists. StarTribune puts Minnesota and the world right at your fingertips. {% endblock %}rnrn{% block last %}rn{{ parent() }}rn{# limit Krux pixel from https://www.squishlist.com/strib/customshop/328/ #}rnrnrn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/limit-signup/start"},{"id":"meter-desktop-331","count":10,"action":"ignore","mute":false,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/meter-desktop-331/start"},{"id":"PDA991499opt","count":9,"action":"ignore","mute":true,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/PDA991499opt/start"},{"id":"limit","count":8,"action":"inject","mute":false,"action_config":{"template":"

rnrnrnrn

rn

rn

rn rn

rn t

rn SUBSCRIBErn Already a subscriber? Log in.rn

rn

All Star Tribune readers without a Digital Access subscription are given a limited number of complimentary articles every 30 days. Once the article limit is reached we ask readers to purchase a subscription including Digital Access to continue reading. Digital Access is included in all multi-day paper home delivery, Sunday + Digital, and Premium Digital Access subscriptions. After the 1 month Premium Digital Access introductory period you will be charged at a rate of $14.99 per month. You can see all subscription options or login to an existing subscription herern

rn rn

rn

rn

rn

rn

rn"},"start":"https://users.startribune.com/placement/1/environment/3/limit/start"},{"id":"nag","count":7,"action":"lightbox","mute":true,"action_config":{"height":null,"width":"630px","redirect_on_close":null,"template":"{% extends "shell" %}rnrn{% block substyles %}rn

rn{% endblock %}rnrn{% block page %}rn{#rnrn{{ limit - count - 1 }}rnrn{{ form.flow_form_open({nextAction: 'firstSlide'}, null, null, '_top') }}rn {{ form.btn('Save Now') }}rn{{ form.flow_form_close() }}rnrn

rnrnrnu2022 rnrnrnrn#}rn

rn

rn

You have {{ limit - count - 1 }} articles left

rn

rn rn u00a0u00a0u2022u00a0u00a0rn rn

rn

rn

rn

rn Save More Todayrn

Over 70% off!

rn

rn

rn

rn

99u00a2 for first 4 weeks

rn {{ form.flow_form_open({nextAction: 'firstSlide'}, null, null, '_top') }}rn {{ form.button('Save Now', 'btn nag-btn') }}rn {{ form.flow_form_close() }}rn

rn

rn{% endblock %}rnrn{% block last %}rn{{ parent() }}rnrn{% endblock %}"},"start":"https://users.startribune.com/placement/1/environment/3/nag/start"},{"id":"x","count":4,"action":"ignore","mute":true,"action_config":false,"start":"https://users.startribune.com/placement/1/environment/3/x/start"},{"id":"multi-start","count":3,"action":"fly_in","mute":true,"action_config":{"location":"bottom_left","slide_direction":"bottom","group_id":null,"display_delay":"0","collapse_delay":"10","template":"

rn

rn

rn

rn u00d7rn

rn

rn

From just

rn

$3.79 99u00a2 a week

rn Save nowrn

rn

rn

"},"start":"https://users.startribune.com/placement/1/environment/3/multi-start/start"}]};




Click here for the original Source.

_________________________________________________________________________

Get your CompTIA A+, Network+ White Hat-Hacker, Certified Web Intelligence Analyst and more starting at $35 a month. Click here for more details.

.  .  .  .  .  .  . .  .  .  .  .  .  .  .  .  .   .   .   .    .    .   .   .   .   .   .  .   .   .   .  .  .   .  .

Leave a Reply