Blackbaud Data Incident

NOTICE OF BLACKBAUD DATA INCIDENT

Roswell Comprehensive Cancer Center and Roswell Park Alliance Foundation (“Roswell Park”) were recently notified of a data security incident involving a Roswell Park vendor, Blackbaud, Inc., a software company that provides services to thousands of nonprofit organizations worldwide. We are providing notice of the incident out of an abundance of caution so potentially affected individuals are informed about the incident and how they can obtain additional information.

What Happened? Blackbaud provides cloud software services to nonprofits, health care organization, academic institutions, social service programs and arts and cultural organizations throughout the world and was subjected to a data security incident starting in February, 2020. On July 16, 2020, Blackbaud notified Roswell Park that an unauthorized actor attempted a ransomware attack on Blackbaud’s system starting in February of 2020 and continuing intermittently until May of 2020. The ransomware attack was stopped successfully, however, Blackbaud advised that the unauthorized actor did remove a copy of certain database backup files. Fortunately, Roswell Park’s information technology systems were not affected.  On July 24, 2020, we determined that the files at issue contained limited patient and donor information.  There is no indication that any information was individually accessed or misused in any way.

What Information Was Involved? We have determined that some of the files contained donor and patient contact information (name, address, email address), as well as in some cases, date of birth and a notation indicating the individual’s status as a patient and/or donor.  In limited circumstances, information about a general diagnosis, treating physician name and/or a three-letter clinic identification code was also included. It is important to note that no social security numbers, credit/debit card numbers, or other financial account information were accessed.  Blackbaud advised that it received confirmation from the actor that the files at issue were destroyed, and there is no indication that any information was misused or further disclosed.

What Are We Doing? We continue to investigate and implement appropriate measures to further review our vendor’s systems and practices.  We are working with a leading cybersecurity firm to aid in our investigation and response.  Additionally, we have reported the incident to Department of Health & Human Service’s Office of Civil Rights and relevant state agencies. 

What You Can Do? There is no indication that any personal information was individually accessed or misused in any way.  Although financial information was not involved, it is always recommended that you should review account statements regularly for suspicious activity on a and verify the source of suspicious email communications before opening.

For More Information.  If you have any questions, please contact our dedicated call center at 1- 888-604-0351, Monday through Friday, from 9:00 a.m. to 6:30 p.m., Eastern Standard Time (excluding U.S. national holidays).