MANCHESTER — Officials at Catholic Medical Center have informed patients and donors that data including names, addresses and information indicating if a person is alive or deceased was compromised in a recent security incident involving a software vendor.
According to a news release issued by Catholic Medical Center (CMC), software company Blackbaud “provides engagement and fundraising software to many non-profits,” including CMC.
On July 16, Blackbaud notified CMC that the company had recently discovered a cybercriminal breached their system and stole information about many charitable organizations, including CMC.
Blackbaud worked with law enforcement and cybersecurity specialists to expel the cybercriminal from their system. The company also paid a ransom in exchange for assurances that the stolen information would be destroyed.
According to CMC, the stolen information did not include bank account information, credit card information or social security numbers, but officials believe the cybercriminal accessed patient and donor lists from CMC that included names, addresses and information indicating if a person is alive or deceased.
“In addition, the cybercriminal may have accessed patients’ date of admission to CMC, a code indicating what department cared for them, email addresses, physician names, dates of birth, donor history, and phone numbers,” CMC said in a news release.
The company notes the incident did not impact CMC’s internal computer systems “or our electronic medical records, which we continue to safeguard.”
“CMC is working diligently with Blackbaud to understand how this incident occurred and steps we can take to prevent something like this from reoccurring in the future,” CMC said in a release. “Blackbaud assured us that they have already taken steps to patch, clean, and secure their network in accordance with security standards for the financial and technology industries. In addition, Blackbaud informed us that they have strengthened their access controls and implemented robust risk assessment and network security testing protocols.”
CMC officials said the hospital maintains an aggressive cybersecurity program,and requires contracted vendors to implement administrative, technical, and physical safeguards to secure all sensitive information within their organizations.
“Internal teams have reviewed Blackbaud’s responses to this incident, and we are evaluating whether any changes to our relationship with Blackbaud are necessary to further protect information in the future,” CMC said in a news release. “Patient privacy and security are of the highest importance to CMC, and we deeply regret that this incident occurred.”