NorthShore University HealthSystem said the personal information of about 348,000 people may have been exposed in a breach involving one of the health system’s vendors earlier this year.
NorthShore recently sent a letter to those affected saying information including their full names, birth dates, addresses, phone numbers, doctors’ names, doctors’ offices and dates of admission and discharge may have been exposed.
No patient medical records were accessed, NorthShore spokesman Jim Anthony said in a statement Tuesday. The vendor, Blackbaud, told NorthShore no credit card, bank account information, social security numbers, or user login credentials or passwords were compromised, he said.
“Based on the data involved, there is low risk of harm to affected individuals,” he said.
Anthony said those affected might include patients, donors and/or employees, but did not give specifics.
Blackbaud provides software services to NorthShore’s foundation as well as 35,000 other nonprofit fundraising organizations, NorthShore said in the letter to those affected. Northwestern Memorial HealthCare recently notified about 56,000 donors and patients that their personal information may have been exposed in the breach.
NorthShore and Northwestern reported the breaches to the U.S. Department of Health and Human Services Office for Civil Rights.
The Blackbaud breach was the result of a ransomware attack, in which cybercriminals attempt to lock companies out of their own data and servers and demand ransom in order to restore access, Blackbaud said in a statement on its website. Blackbaud discovered the attack in May. NorthShore learned of the breach July 22, according to the hospital’s letter.
Blackbaud said it stopped the attack before it was locked out of its own system, but the cybercriminal accessed some data. Blackbaud said it paid a ransom to ensure the stolen copy of the data was destroyed.
Blackbaud said in a statement it has “no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.”
NorthShore is recommending affected individuals monitor their personal accounts for suspicious activity.
