Search

Minnesota's second-largest health care data breach hits Children's, Allina, other providers - Minneapolis Star Tribune

Hundreds of thousands of patients and donors to Children’s Minnesota and Allina Health hospitals are getting letters saying some of their personal data may have been exposed in the second-largest health-care data breach in state history.

The growing list of those affected includes more than 160,000 patients and donors at Children’s Minnesota, and more than 200,000 patients and donors from Allina Health hospitals and clinics.

Those notified of the breach involving Children’s Minnesota are being told to watch their medical bills for signs of fraud in the wake of the second-largest health care data breach in state history. Allina’s breach notice says the information involved, including names and addresses and potentially medical information, does not put individuals at risk for identity or financial theft.

Patients and donors to at least four different health care providers in the state — Children’s, Allina, Regions Hospital and Gillette Children’s Specialty Healthcare — have been getting notifications in the mail this month saying their or their children’s data may have been pilfered at an outside company called Blackbaud that works for the hospitals’ charitable foundations. Nationally, more than 3 million people are affected by the breach, which Blackbaud discovered in May.

Children’s Minnesota, a two-hospital pediatric health system in the Twin Cities, is notifying more than 160,000 families that the data breach at South Carlolina-based Blackbaud allowed hackers to obtain copies of a backup fundraising database stored by the Children’s Minnesota Foundation on Blackbaud’s cloud-computing systems.

The letter from Children’s Minnesota says the exposed data likely included the pediatric patient’s full name, date of birth, address, phone number, age, gender, medical record number, dates and locations of treatment, names of treating doctors and insurance status.

The letter from Allina says the breach definitely included names and addresses, and that it may have included dates of birth, dates of care, and the names of doctors and departments visited.

The Blackbaud breach constitutes the second-largest health data breach in the state, according to records maintained by the federal Office for Civil Rights. On Wednesday morning, a spokesman for Regions Hospital in St. Paul confirmed that breach notification letters are being sent to 52,795 patients, and Gillette confirmed it sent 1,766 such letters.

Just after noon Wednesday, Allina confirmed that data from about 200,000 donors and patients may have been hacked, though the health system is notifying everyone in its database.

All of the health care providers say they’ve notified those whose informaiton was affected.

“Since learning of this incident, we have been working with Blackbaud to understand the scope of the ransomware attack and the steps it is taking to prevent future data security incidents,” an Allina spokeperson wrote. “Our security experts have evaluated Blackbaud’s security protocols and feel confident it has taken the appropriate action to further protect the information entrusted to it.”

Also in Minnesota, Minneapolis-based bone-marrow transplant registry company Be The Match notified donors of the breach in a letter dated Aug. 11.

The largest health care data breach reported by a Minnesota company happened last year, when Optum360 — a division of Minnetonka-based insurer and services provider UnitedHealth Group — disclosed that records on 11.5 million people were exposed.

Most of those records did not involve Minnesotans. Rather, Optum360 had contracted with a now-bankrupt outside firm called American Medical Collection Agency, whose computers were breached. Optum itself had been working for Quest Diagnostics, which provided health and financial data on patients who were being sent to collections.

Across the nation, dozens of charities and hospitals whose data was stored on Blackbaud computers have reported breaches to more than 3.4 million donors and patients, according to a tally compiled by an independent researcher at the website, www.databreaches.net.

“The Blackbaud breach is likely to be the biggest or one of the biggest breaches involving patient information in 2020,” wrote “Dissent,” a blogger at databreaches.net who is also a health care provider and has posted about health-data breaches since 2008.

The incident was not limited to health care. In July, charitable organizations around Minnesota began e-mailing donors about the breach, including Feed My Starving Children, Catholic Charities of St. Paul and Minneapolis and Cretin-Derham Hall High School. The Pioneer Press reported that Dodge Nature Center and Preschool in West St. Paul also was affected.

The Hennepin Healthcare Foundation, which raises money for the Minneapolis-based health system, was hit by the breach. But the July 22 letter about the breach says only that the contact and demographic information of donors to the foundation, plus a history of past donations and amounts, were breached.

“We recommend you remain vigilant and be on-guard for any scams or social engineering attacks that may use previous donations, as a way of establishing trust and impersonating us or another nonprofit,” the Hennepin Healthcare letter said. “Please contact us immediately if you are suspicious someone is using your support of Hennepin Healthcare to leverage additional personal information or donations.”

Blackbaud, the world’s leading cloud-software firm for charities, discovered in May that a computer hacker outside the company had gained the ability to log into an internal data-center server and download files. Although the attack did not penetrate Blackbaud’s cloud-computing operations, the hacker did download a “subset” of data before the intrusion was blocked, according to a narrative published by The Nonprofit Times, which interviewed several Blackbaud officials.

After cutting off access, Blackbaud paid an undisclosed ransom to the attacker in exchange for “confirmation that the copy they removed had been destroyed,” Blackbaud’s official statement on the incident says. No credit card information, bank account information, or Social Security numbers were stolen, according to the company.

Blackbaud says it has “no reason” to believe data compromised as part of the ransomware attack will ever be misused or disseminated publicly.

“Their motivation was to disrupt our business by encrypting customer files in our datacenters, which we were able to prevent. We have hired a third-party team of experts to monitor the dark web as an extra precautionary measure,” the company said.

Like the letter from Hennepin Healthcare, the letter from Children’s Minnesota says those affected should be on the lookout for signs that could indicate potential fraud, such as charges for services that were never given.

Blackbaud didn’t respond to why hospitals are advising patients and donors to watch for suspicious activity following the breach if there was no indication that the data would be misused. Blackbaud’s e-mail said it would not comment beyond a statement on its website, “out of respect to the privacy for our customers.”

Some people getting the health care-related breach letters say they don’t understand why hospitals are sharing patient data with a third-party working on fundraising.

Even though health care providers typically require patients or guardians to sign paperwork acknowledging medical data may be shared with outside parties, some patients don’t understand why a charitable foundation that doesn’t directly provide health care needs access to information from patient medical records.

“I’m consenting for doctors to do with whatever they need to do, but not the medical data and history of my child to go to a third party so they can market to me for fundraising campaigns,” said Matt Berg of Minneapolis, who got one of the letters this week. His child has gone to Children’s Minnesota in the past.

A spokeswoman for Children’s Minnesota said in an e-mail Wednesday morning that it’s common for not-for-profit health care systems to track past patient interactions for fundraising.

“Often, people choose to make a donation to our foundation after they or a loved one has received care at one of our facilities. We track a limited amount of information in the Blackbaud database so, for example, we are able to identify which clinician or department a family has interacted with in the event they would like to direct their gift to a specific program,” the Children’s spokeswoman said.

A spokesman at Gillette Children’s noted that people sometimes donate to the hospital foundation after they or their child have good experience with the hospital.

“We track a limited amount of information in the Blackbaud database so we are able to identify which doctor, or department, someone has interacted with if they would like to direct their gift to a specific program,” the statement said.

 

Let's block ads! (Why?)



"care" - Google News
September 17, 2020 at 12:19AM
https://ift.tt/2RzQogy

Minnesota's second-largest health care data breach hits Children's, Allina, other providers - Minneapolis Star Tribune
"care" - Google News
https://ift.tt/2N6arSB
Shoes Man Tutorial
Pos News Update
Meme Update
Korean Entertainment News
Japan News Update

Bagikan Berita Ini

0 Response to "Minnesota's second-largest health care data breach hits Children's, Allina, other providers - Minneapolis Star Tribune"

Post a Comment


Powered by Blogger.