The personal information of thousands of patients and contributors may have been accessed by cybercriminals in a third-party data breach, University of Kentucky HealthCare announced Tuesday.
Blackbaud, a company that UK HealthCare hired for digital data storage “related to donors and philanthropy between 2015 and 2019,” found that a cyberattack allowed hackers to view data about donors that included names, addresses, dates of birth, medical record numbers, admission dates, area of service and attending doctors.
UK HealthCare will notify about 163,000 possibly affected people. The breached information was about donors who were previously patients. Further content of medical records was not accessed. UK HealthCare never provided bank account information or Social Security and credit card numbers to Blackbaud, so that information could not be accessed.
“Protecting the security of information belonging to our donors, patients, and any individuals whose information is entrusted to us is of the utmost importance,” Richard Chapman, UK HealthCare’s chief privacy officer, said in the announcement. “Our health system has strict policies and procedures in place to protect patient information, and we are currently undertaking additional steps to reinforce those measures.”
Blackbaud’s data breach has affected more than 25,000 nonprofit organizations worldwide, the UK hospital system said.
The data was acquired between early February and mid-May. Blackbaud notified UK HealthCare of the breach in mid-July.
According to a post about the incident on Blackbaud’s website, the company discovered the cyberattack in May and expelled the cybercriminal from the company’s system. Before being expelled, the cybercriminal removed “a copy of a subset of data.” The company paid a ransom to the hackers in exchange for the data copy being destroyed.
Since mid-July, UK Healthcare said it took steps to understand the extent of the breach and what data was involved,
UK HealthCare no longer uses Blackbaud, spokesperson Kristi Willett said in a statement. The hospital system currently uses a security review process for new vendors that handle patient information and reviews protection practices of other key vendors that already handle private data.
“While the threats to patient information are constantly evolving, UK HealthCare is also continually adapting our risk management procedures and security controls to meet these threats,” Willett said.