A cyberattack against an international software company included a database breach of customer Atrium Health, which may have compromised some personal information about patients.
In recent weeks, affected patients and philanthropic donors were notified and Atrium posted a notice of the ransomware attack on its website. Atrium Health officials said in the notice some information — possibly including a person’s name, birth date and doctor’s name — was accessed when cybercriminals targeted one of its vendors, Blackbaud.
The hospital system says no medical records or information about medications or test results were compromised and no credit card or bank account information was stolen.
Blackbaud, which provides donor management software to many institutions around the world, notified Atrium on July 16 of the attack on its systems, according to Atrium’s letter to patients, one of which was obtained by the Observer on Saturday.
It’s unclear how many people in Charlotte or in Atrium’s other locations may be impacted.
In a statement to the Observer on Saturday, Atrium said “there are still many unanswered questions and we are diligently pursuing both answers and resolution. Like thousands of other Blackbaud clients, we are very concerned about this event and are carefully evaluating our next steps.”
“We sincerely apologize for this incident at Blackbaud and any concern or inconvenience it may cause,” Atrium said in its notification to patients.
North Carolina sets data breach record
A record number of data breaches were reported in North Carolina last year, N.C. Attorney Gen. Josh Stein said in January. The 1,210 breaches reported to the North Carolina Department of Justice were the most in a year since reporting requirements began in 2005, according to Stein.
In its statement Saturday, Atrium said it has been in “frequent communication with Blackbaud to understand what took place and who may have been impacted.” Atrium’s legal, security and privacy teams are investigating the attack.
According to the hospital system’s website post, Blackbaud discovered on May 14 that “an unauthorized party accessed its systems.” The breach occurred from Feb. 7 to May 20, Atrium said.
Soon after discovering the breach, Blackdaud “locked the cybercriminals out of its systems,” according to Atrum Health.
“Blackbaud paid the cybercriminals a ransom to delete the data,” the hospital’s letter states.
The cybercriminals managed to steal a copy of a back-up database that contained information from numerous Blackbaud clients, Atrium said. “Unfortunately, Atrium Health was one of those clients,” according to the statement.
Blackbaud also hired a company to monitor the internet for any “misuse” of the stolen information, according to Atrium, and has found none. That company has seen no evidence “that the information still exists or is being misused,” according to the hospital system.
On Aug. 12, Atrium confirmed the breach included information from some of its patients, including possibly their first and last names, home addresses, phone numbers, emails and dates of birth.
The stolen information also included their guarantor information, decedent status, internal patient ID number, when and where they were treated and the names of their doctors.
Stolen information from minors might have included the name and relationship of their guarantor.
“If the patient made a donation to support Atrium Health, the date and amount of the donation may have also been included,” according to Atrium.
No social security information stolen, Atrium says
The breach did not include Social Security numbers and credit-card and bank account information, Atrium said.
Also, according to Atrium, Blackbaud has never had access to medical records or information about patient prognosis, medications and test results.
As a precaution, the breach prompted Atrium Health to review its security safeguards.
“We take this matter very seriously and are reviewing our relationship with Blackbaud,” the hospital system said.
Patients with questions can call (888) 498-0914, 9 a.m.-6:30 p.m. weekdays, except for holidays.