OSF HealthCare Addresses Blackbaud Data Security Incident
OSF HealthCare System (“OSF”) is mailing letters to its patients advising them of a data security incident that occurred at one of its vendors, Blackbaud, Inc. (“Blackbaud”). Blackbaud provides cloud-based and data solution services related to OSF’s fundraising activities.
Blackbaud notified its customers it discovered that an unauthorized individual gained access to Blackbaud’s systems between February 7 and May 20, 2020. Blackbaud advised that the unauthorized individual may have acquired backup copies of databases used by its customers, including a backup of the database OSF uses for fundraising efforts. After being notified, OSF immediately took steps to understand the extent of the incident and the data involved.
On August 20, 2020, OSF’s investigation and review of the Blackbaud database involved in the incident determined that it contained some patient information, including names, addresses, phone numbers, email addresses, dates of birth, treatment facilities, treating physicians, departments of service, room numbers and/or medical record numbers.
Blackbaud advised that Social Security numbers, financial account, and credit card information were encrypted, and not able to be accessed by the unauthorized individual. This incident did not involve any access to OSF’s medical systems or electronic health records.
OSF HealthCare takes patients’ privacy very seriously. To help prevent something like this from happening again, OSF is assessing the security safeguards at Blackbaud and evaluating the data elements stored on the Blackbaud systems. OSF has also established a dedicated call center to answer any questions about this incident, at 1-877-376-0079, Monday through Friday, at 8:00 a.m. to 5:30 p.m. Central Time, excluding major U.S. holidays.
For patients whose information may have been involved in the incident, it is recommended they monitor statements received from their healthcare providers. If they see services they did not receive, please contact the healthcare provider that issued the statement immediately.