Spectrum Health Impacted by Blackbaud Data Security Incident

August 31, 2020

GRAND RAPIDS, Mich., August 31, 2020 – Spectrum Health is one of the many non-profit organizations affected by the ransomware attack against Blackbaud, Inc., which hosts data for the Spectrum Health Foundation. The cybercriminals were able to remove a copy of a subset of data that included some information from its Foundation.

On July 16, 2020, Spectrum Health was made aware of a global data security incident involving Blackbaud, Inc., which hosts data for the Spectrum Health Foundation. The health system learned that Blackbaud had been the victim of a ransomware attack that was discovered and ended in May of this year. Criminals use ransomware as a way to get companies to pay money to regain access to their electronic information. The cybercriminals were able to remove from Blackbaud’s computer systems data that included information from the Spectrum Health Foundation.  Importantly, no Spectrum Health technology, computer networks or systems were impacted by this incident.

This data incident did not involve social security numbers, passwords, credit card or bank information. In fact, such financial-related data are not kept in the Spectrum Health databases hosted by Blackbaud.

Spectrum Health conducted its own independent investigation and learned the data accessed by the cybercriminals included some protected health information of Spectrum Health patients. The information had been included in the Blackbaud database as part of Spectrum Health’s grateful giving program.  After a patient receives care at one of its hospitals, the Foundation reaches out to ask whether they would like to say “thank you” to their care team by sending a card or making a donation. Spectrum Health will be contacting patients by mail if their information was included in the Blackbaud incident.

The patient information was limited and may have included name, address, date of birth, email, medical record number, history of making a donation to the Spectrum Health Foundation (if applicable), and other publicly available information.

“At Spectrum Health, we take our data protection responsibilities very seriously and we expect our vendors to do the same,” said Darryl Elmouchi, MD, president, Spectrum Health West Michigan. “We know the community places their trust in us and we work diligently every day to keep that trust. We regret any concern or inconvenience this may cause among our patients.”

This security incident impacted Blackbaud’s clients across the U.S. and around the world, including thousands of other non-profit organizations. To protect individuals’ data and avoid potential identity theft, Blackbaud paid the cybercriminals ransomware demand. According to Blackbaud, they were assured the data file was destroyed. Blackbaud has been working with third-party experts to monitor the web to verify the data accessed by the cybercriminals was destroyed and has not been misused. An incident summary is posted on the Blackbaud website.

In a statement on its website, Blackbaud said in part, “We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident.”

Spectrum Health encourages patients with questions to call (888) 952-9101 or email privacy@spectrumhealth.org.

People are at the heart of everything we do, and the inspiration for our legacy of outstanding outcomes, innovation, strong community partnerships, philanthropy and transparency. Corewell Health is a not-for-profit health system that provides health care and coverage with an exceptional team of 60,000+ dedicated people—including more than 11,500 physicians and advanced practice providers and more than 15,000 nurses providing care and services in 21 hospitals, 300+ outpatient locations and several post-acute facilities—and Priority Health, a provider-sponsored health plan serving more than 1.3 million members. Through experience and collaboration, we are reimagining a better, more equitable model of health and wellness. For more information, visit corewellhealth.org.

Contact:
Ellen Bristol
External Affairs Manager
Office: 616.391.4399
Mobile: 616.581.6474
Email: ellen.bristol@corewellhealth.org