Inova Health System is among a dozen health systems affected by a ransomware attack at a third-party software vendor.
The Falls Church, Virginia-based health system is notifying more than 1 million patients and donors that their personal data may have been compromised by the cyberattack.
Blackbaud, a third-party service vendor used for fundraising and alumni or donor engagement efforts at nonprofits and universities, said cyberattackers intermittently removed data from Blackbaud’s systems between Feb. 7, 2020, and May 20, 2020.
While Blackbaud prevented the cybercriminals from blocking its system access and fully encrypting its files, the attackers were successful in removing a copy of a subset of data from the vendor's self-hosted environment, the company said in a statement posted to its website.
The software company said it paid a ransom so the attackers would destroy their backup file of stolen information.
The attackers did not access credit card information, bank account information or Social Security numbers, according to Blackbaud.
Inova said it learned of the incident in July.
"This was a wide-reaching security event that involved data of many of Blackbaud’s clients around the world, including certain personal information of Inova patients and donors," the health system said in a notice posted to its website on Wednesday.
"Inova takes seriously the security of our patients’ and donors’ personal information, and is notifying affected individuals and providing them with steps they can take to protect themselves," the health system said.
The data breach affected up to 1,045,270 people, according to a report Inova submitted to the Department of Health and Human Services' Office for Civil Rights on Wednesday.
Inova said it conducted its own investigation in partnership with leading cybersecurity professionals and determined that the information the attackers removed may have contained certain personal information of some patients and donors. That information could include full names, addresses, dates of birth, provider names, dates of service and/or philanthropic giving history such as donation dates and amounts.
The incident does not impact individuals’ Social Security numbers and financial account information and/or payment card information. Inova's electronic health record system also was not impacted by the attack, the health system said.
The cyberattack affected more than 25,000 nonprofit organizations worldwide, including at least 12 health systems in the U.S., according to information compiled by Becker's Hospital Review.
The attack affected at least 3 million people across those 12 health systems.
According to a list from Becker's Hospital Review, the 12 health systems that reported they were impacted by Blackbaud's cyberattack include Atrium Health, Catholic Health, MultiCare Health System (300,000 individuals), Northern Light Health Foundation (659,000 people), NorthShore University Health System in Illinois (348,000 people), Saint Luke's Health System in Missouri (360,000 people) and UK HealthCare in Kentucky (163,000 people).
Blackbaud reported that there is no evidence to believe any data will be misused, disseminated or otherwise made publicly available.
According to Inova, Blackbaud said it closed the vulnerability that allowed the incident. The software vendor also has taken steps to enhance its security controls and is conducting ongoing efforts against cyberattacks in the future.