Hebrew SeniorLife (“HSL”) recently became aware of a data event by our vendor, Blackbaud, Inc. (“Blackbaud”) that may affect the privacy of information relating to certain current and former HSL patients and residents. On Thursday, July 16, 2020, we received notification from Blackbaud of a cyber incident. Blackbaud is a cloud computing provider that offers customer relationship management and financial services tools to organizations, including HSL. Upon receiving notice of the cyber incident, we immediately commenced an investigation to better understand the nature and scope of the incident and any impact on HSL data. This notice provides information about the Blackbaud incident, our response, and resources available to individuals to help protect information from possible misuse.
Blackbaud reported that, in May 2020, it experienced a ransomware incident that resulted in encryption of certain Blackbaud systems. Blackbaud reported the incident to law enforcement and worked with forensic investigators to determine the nature and scope of the incident. Following its investigation, Blackbaud notified its customers that an unknown cybercriminal may have accessed or acquired certain Blackbaud customer data. Blackbaud reported that the data was exfiltrated by the threat actor at some point before Blackbaud locked the threat actor out of the environment on May 20, 2020. Upon learning of the Blackbaud incident, we immediately commenced an investigation to determine what, if any, sensitive HSL data was potentially involved. This investigation included working diligently to gather further information from Blackbaud to understand the scope of the incident.
Our investigation determined that the involved Blackbaud systems contained information such as full name, demographic information, and a history of an individual’s relationship with our organization, such as donation dates and amounts, and/or the designation that an individual was a patient or resident of HSL, including “from” and “to” dates as a patient or resident. To date, we have not received confirmation from Blackbaud that HSL patient specific information was accessed or acquired by the unknown cybercriminal.
On September 10, 2020, HSL began mailing notice letters to current and former patients whose personal information resided in the impacted Blackbaud systems, and for whom it had address information. The notice letter encourages potentially impacted individuals to remain vigilant against incidents of identity theft and fraud and to review their Explanation of Benefits form and account statements. In the unlikely event that an individual encounters any suspicious activity or incidents of identity theft they believe may be related to this incident, we recommended the individual promptly report it to us and to the proper law enforcement authorities. HSL is providing potentially impacted individuals information on obtaining a free credit report annually from each of the three major credit reporting bureaus by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at: Equifax, P.O. Box 105069, Atlanta, GA, 30348, 1-800-685-1111, www.equifax.com; Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com; TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com. Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes, and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission, or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Instances of known or suspected identity theft should also be reported to law enforcement or the individual’s state Attorney General. We provided notice of this incident to the U.S. Department of Health and Human Services (HHS), as well as required state regulators.
The confidentiality, privacy, and security of information in our care are among our highest priorities, and we take this incident very seriously. As part of our ongoing commitment to the security of information, we are working to review existing policies and procedures regarding third-party vendors, and are working with Blackbaud’s security measures to evaluate additional measures and safeguards to protect against this type of incident in the future.
We sincerely apologize for this incident and regret any inconvenience it may cause you. Should you have any further questions or concerns regarding this matter and/or the protections available to you, please feel free to contact a member of HSL’s Development team at firstname.lastname@example.org or via the following toll-free number 1-866-580-9911.