Computer hackers that victimized a prominent software company grabbed the names, medical service numbers and dates of service for patients who received care in Catholic Health facilities from 2016 through May of this year, the health care group said late Tuesday.
Lists of donors to the Roswell Park Alliance Foundation and some of their personal information, but not financial information, also were stolen in the ransomware attack at Blackbaud Inc., according to an email Roswell sent to donors Tuesday.
Other local hospitals said they were not affected by the Blackbaud hack.
Blackbaud is a national firm that maintains online records for more than 25,000 nonprofit organizations, ranging from hospitals to schools, churches, arts and cultural groups and foundations.
According to the Roswell Park email, the hacking continued intermittently from February through May.
"Blackbaud determined that the backup file may have contained limited non-financial information, such as your contact information, date of birth, limited demographic data and a history of your relationship with the Alliance Foundation, such as donation dates and amounts," Cindy A. Eller, Roswell Park Alliance Foundation executive director, wrote in the email.
Blackbaud paid the hacker a ransom in exchange for the destruction of a backup file that contained the stolen information.
"The cybercriminal did not access credit card information, bank account information, or social security numbers," said a statement on Blackbaud's website.
"Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly," the Blackbaud post said.
Catholic Health issued a news release that said it learned of the breach in mid-July. The hacker obtained a database of patients which was being maintained as a list of potential donors to Catholic Health and its foundations, spokeswoman JoAnn Cavanaugh said Wednesday.
"After a thorough investigation, Catholic Health determined that no medical information, social security numbers, addresses, bank account numbers or credit card information were included in the data breach," a Catholic Health news release said.
Cavanaugh said that investigation was carried out by an in-house cybersecurity team at Catholic Health.
Roswell Park has confirmed that no Social Security numbers, personal financial information or patient medical records were accessed in the Blackbaud incident," foundation spokeswoman Michelle Ostrander said.
"Roswell Park and the Roswell Park Alliance Foundation are continuing to investigate this incident, including to what extent limited patient information such as name, address, date of birth and/or physician name, may have been involved and will be notifying anyone who was affected," Ostrander said.
"Blackbaud choose to pay the cybercriminal’s ransom and received confirmation that the data was destroyed. Out of an abundance of caution, we are sharing this information with our patients and community to increase awareness of this incident for the Western New York region," the Catholic Health release said.
“Patient privacy is of the utmost importance and we go to great lengths to safeguard patient information,” said Kimberly Whistler, Catholic Health's corporate compliance and privacy officer.
"All patients whose names and information were part of this incident will be receiving a letter from Catholic Health in the next few weeks," Whistler said. "While we do not believe there is a need for anyone to take action, we recommend all patients remain vigilant and report any suspicious activity or suspected identity theft to the proper authorities.”