Beebe Medical Center was impacted by a data breach in early 2020 involving a firm it uses for data management, according to a statement from the hospital dated Dec. 28, 2020.
Letters dated Dec. 24, 2020, were sent to those whose information was involved in the breach, which included 58,000 individuals, according to hospital representatives.
According to the statement, Beebe was notified on July 16 by Blackbaud, a third-party data management company, that it had discovered and stopped a ransomware attack that occurred from Feb. 7, 2020, to May 20, 2020.
Blackbaud had initially told Beebe that its data was not affected, but in November 2020, the company notified Beebe that its data was, in fact, included in the breach.
“While Blackbaud prevented the cybercriminal from encrypting the Blackbaud data, the cybercriminal was able to remove a copy of a subset of constituent data from several of Blackbaud’s clients, including Beebe Medical Center,” the statement said.
“On Dec. 2, 2020, after significant review, Beebe discovered that the personal information of certain individuals may have been contained within the affected Blackbaud database,” they said.
Based on Beebe’s investigations, information potentially impacted by the data breach includes names, as well as dates of birth, clinicians’ names, dates of screening, visit dates and the department related to the person’s medical services.
“Importantly, no Social Security numbers or financial account numbers were impacted as a result of this incident,” Beebe stated.
Meanwhile, Blackbaud confirmed that they had paid “the cybercriminal’s demand” and, in return, received confirmation that the data involved in the breach had been destroyed. Blackbaud also said it has retained experts to monitor the “dark web” — a part of the internet that requires special software to access — to verify that the data involved in the breach has not been misused or released, and that it intends to continue to such monitoring on a constant, indefinite basis.
“Blackbaud has assured us that they have taken the necessary steps to secure their environment,” Beebe representatives said.
In the letters to potentially impacted customers, Beebe suggests that they should “remain vigilant and promptly report any suspicious activity or suspected identity theft to the proper authorities. The letters also include contact information for three credit-reporting companies — TransUnion, Experian and Equifax — and information on how to place a fraud alert on a credit report. The alert informs creditors of the possibility of fraudulent activity and requires creditors to contact the consumer before establishing any accounts in their name.
The data breach impacted at least two dozen healthcare systems across the country, according to an article on HealthITSecurity.com, which listed it as the top healthcare data breach of 2020. Blackbaud’s data management services are also employed by educational organizations.
To read Beebe’s entire statement on the data breach, go to www.beebehealthcare.org/news-release/beebe-informs-those-affected-blackbaud-data-incident.