Chesapeake Regional patient and donor information exposed in data breach

Elisha Sauers, The Virginian-Pilot
·2 min read

Chesapeake Regional Healthcare officials said information about more than 23,000 of its patients, donors and employees was stolen during a vendor’s data breach this year.

Blackbaud, the third-party vendor, provides the hospital system with fundraising, donor engagement and data-hosting support. Chesapeake Regional officials said they have contacted by mail, email, or both, the people whose information was exposed.

The ransomware attack happened “at some point beginning on” Feb. 7 and “may have intermittently reoccurred” until May 20, the hospital system said. Chesapeake Regional officials said Blackbaud only informed them of the issue Sept. 9.

When asked if the healthcare system had concerns about how long it took for the vendor to notify them of the breach, spokeswoman Tricia Hardy responded in a statement to The Virginian-Pilot, expressing confidence in the way the company handled the situation.

“Blackbaud has assured Chesapeake Regional that they have implemented several changes to protect data from any subsequent incidents,” she said. “Their team has confirmed through testing by multiple third parties that the implementation of their corrective action plan withstands all known attack tactics.”

The cyber attack has cost the Charleston, S.C.-based tech company $3.6 million and resulted in over 20 lawsuits in North America, The Post and Courier reported Wednesday. Since the incident, 43 state attorneys general and other federal agencies have requested more information.

Blackbaud told Chesapeake Regional that during the attack, someone removed a copy of the vendor’s backup file containing names, mailing addresses, email addresses, demographics and the history of individuals' relationships with the organization. That could include things like donation dates and amounts.

Credit card numbers, bank account information and Social Security numbers were not exposed, Hardy said.

The vendor told the hospital system there was no reason to believe any of the data has been misused or shared.

Elisha Sauers, elisha.sauers@pilotonline.com, 757-222-3864

———

©2020 The Virginian-Pilot (Norfolk, Va.)

Visit The Virginian-Pilot (Norfolk, Va.) at pilotonline.com

Distributed by Tribune Content Agency, LLC.