Minnesota's second-largest health care data breach hits Children's, Allina

Hundreds of thousands of patients and donors to Children's Minnesota and Allina Health hospitals are getting letters saying some of their personal data may have been exposed in the second-largest health care data breach in state history.

The growing list of those affected includes more than 160,000 patients and donors at Children's Minnesota, and more than 200,000 patients and donors from Allina Health hospitals and clinics.

Those notified of the breach involving Children's Minnesota are being told to watch their medical bills for signs of fraud. Allina's breach notice says the information involved, including names and addresses and possibly medical information, does not put individuals at risk for identity or financial theft.

Patients and donors to at least four different health care providers in the state — Children's, Allina, Regions Hospital and Gillette Children's Specialty Healthcare — have been getting notifications in the mail this month saying their or their children's data may have been pilfered from a contractor called Blackbaud that works for the hospitals' charitable foundations. Nationally, more than 3 million people are affected by the breach.

Children's Minnesota, a two-hospital pediatric health system in the Twin Cities, is notifying more than 160,000 families that the data breach at South Carolina-based Blackbaud allowed hackers to obtain copies of a backup fundraising database stored by the Children's Minnesota Foundation on Blackbaud's cloud-computing systems.

The letter from Children's Minnesota says the exposed data likely included the pediatric patients' full name, date of birth, address, phone number, age, gender, medical record number, dates and locations of treatment, names of treating doctors and insurance status.

The letter from Allina says the breach definitely included names and addresses, and that it may have included dates of birth, dates of care, and the names of doctors and departments visited.

The Blackbaud breach constitutes the second-largest health data breach in the state, according to records maintained by the federal Office for Civil Rights. On Wednesday, a spokesman for Regions Hospital in St. Paul confirmed that breach notification letters are being sent to 52,795 patients, and Gillette confirmed it sent 1,766 such letters.

Allina confirmed Wednesday that data from about 200,000 donors and patients may have been hacked, though the health system is notifying everyone in its database.

Each of the health care providers say they've notified those whose information was taken.

"Since learning of this incident, we have been working with Blackbaud to understand the scope of the ransomware attack and the steps it is taking to prevent future data security incidents," an Allina spokesperson wrote. "Our security experts have evaluated Blackbaud's security protocols and feel confident it has taken the appropriate action to further protect the information entrusted to it."

Like officials at other hospitals, a spokesman at Gillette Children's said the data were provided to the foundation and Blackbaud as part of fundraising efforts that reach out to patients or their families who have good experiences with the hospital.

"We track a limited amount of information in the Blackbaud database so we are able to identify which doctor, or department, someone has interacted with if they would like to direct their gift to a specific program," the Gillette Children's statement said.

Minneapolis-based bone-marrow transplant registry company Be The Match notified donors of the breach in a letter dated Aug. 11.

The largest health care data breach reported by a Minnesota company happened last year, when Optum360 — a division of Minnetonka-based insurer and services provider UnitedHealth Group — disclosed that records on 11.5 million people were exposed.

Most of those records did not involve Minnesotans. Rather, Optum360 had contracted with a now-bankrupt firm whose computers were breached. Optum itself had been working for Quest Diagnostics, which provided health and financial data on patients who were being sent to collections. Securities filings show that Quest has been sued by patients over the breach and is being investigated by state and federal officials.

Across the nation, dozens of charities and hospitals whose data were stored on Blackbaud computers have reported breaches to more than 3.4 million donors and patients, according to the website databreaches.net.

"The Blackbaud breach is likely to be the biggest or one of the biggest breaches involving patient information in 2020," wrote "Dissent Doe," a blogger at databreaches.net who is also a health care provider and writes about health-data breaches.

The Blackbaud incident was not limited to health care. In July, charitable organizations around Minnesota began e-mailing donors about the breach, including Feed My Starving Children, Catholic Charities of St. Paul and Minneapolis and Cretin-Derham Hall High School, among others.

The Hennepin Healthcare Foundation, which raises money for the Minneapolis-based health system, also was hit by the breach. But a July 22 letter about the breach says only that the contact and demographic information of donors to the foundation, plus a history of past donations and amounts, were compromised.

"We recommend you remain vigilant and be on-guard for any scams or social engineering attacks that may use previous donations, as a way of establishing trust and impersonating us or another nonprofit," the foundation wrote.

Blackbaud, which bills itself the world's leading cloud-storage firm for charities, discovered in May that a computer hacker outside the company had gained the ability to log into an internal data-center server and download files as early as February.

Blackbaud declined to comment to the Star Tribune, but it did send a link to an article about the hack. Although the attack did not penetrate Blackbaud's cloud-computing operations, the hacker downloaded a "subset" of data before the intrusion was blocked, according to a story in the Nonprofit Times, which interviewed several Blackbaud officials.

After cutting off access, Blackbaud paid an undisclosed ransom to the attacker in exchange for "confirmation that the copy they removed had been destroyed," Blackbaud's official statement on the incident says. It says no credit card information, bank account information or Social Security numbers were stolen.

The cyberattack that began with undetected unauthorized access on Feb. 7 was over by June 3, but communications about the ransom to destroy the downloaded files continued throughout June. By June 25, Blackbaud got an official report from its independent forensic investigator that allowed it to start to pinpoint which organizations' information was affected.

Like the letter from Hennepin Healthcare, the letter from Children's Minnesota says those affected should be on the lookout for fraud, such as charges for services that were never given.

Blackbaud didn't say why hospitals are advising patients and donors to watch for suspicious activity if there was no indication that the data would be misused. Blackbaud's e-mail said it would not comment beyond a statement on its website, "out of respect to the privacy for our customers."

Some question why hospitals are sharing patient data with a third-party working on fundraising.

Even though health care providers typically require patients or guardians to sign paperwork acknowledging medical data may be shared with outside parties, some patients don't think a charitable foundation needs access to medical records.

"I'm consenting for doctors to do with whatever they need to do, but not the medical data and history of my child to go to a third party so they can market to me for fundraising campaigns," said Matt Berg of Minneapolis who got one of the letters this week. His child has been treated at Children's Minnesota in the past.

A spokeswoman for Children's Minnesota said in an e-mail Wednesday morning that it's common for not-for-profit health care systems to track past patient interactions for fundraising.

"Often, people choose to make a donation to our foundation after they or a loved one has received care at one of our facilities. We track a limited amount of information in the Blackbaud database so, for example, we are able to identify which clinician or department a family has interacted with in the event they would like to direct their gift to a specific program," the Children's spokeswoman said.