Ransomware Attack Exposes NorthShore, Northwestern Patient Data

EVANSTON, IL — Cybercriminals gained access to the personal information of more than 400,000 people involved with NorthShore University HealthSystem and Northwestern Memorial HealthCare in a ransomware attack earlier this year on a cloud software company, the health care systems disclosed earlier this month.

In a cyberattack that occurred at some point between Feb. 7 and May 20, hackers breached the systems of the Charleston, South Carolina-based software company Blackbaud. The firm provides database management software used for fundraising. In a ransomware attack, cybercriminals lock companies or governments out of their own servers and hold their data hostage in exchange for payment.

Before the company's cybersecurity team was able to lock out the hacker and prevent them from fully encrypting the company's files, the attacker was able to copy a backup of personally identifiable data, although it did not include credit card, bank account or social security numbers, according to Blackbaud officials.

"Because protecting our customers’ data is our top priority, we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed. Based on the nature of the incident, our research, and third party (including law enforcement) investigation, we have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly," according to a statement from company representatives. "We apologize that this happened and will continue to do our very best to supply help and support as we and our customers jointly navigate this cybercrime incident."

The company has about 35,000 nonprofit clients, and more than 2 million people from over 25,000 nonprofits have so far been affected nationwide, according to Becker's Hospital Review.

On July 16, Blackbaud notified Northwestern Memorial HealthCare of the data breach, which involved nearly 56,000 donors.

According to a notification from the health care system, the database includes donor or patient information when donations were made, "including names, age, gender, dates of birth, medical record number, dates of service, departments of service, treating physicians, and/or limited clinical information." The Social Security numbers, payment card information and other financial data of five people were also compromised.

On July 22, NorthShore officials learned of the data incident, according to a notification. While no credit card or bank account information, Social Security numbers, online logins or passwords were compromised, the protected health information of approximately 348,000 people were breached, including patients' birthdays, dates of admission and discharge, identities and specialties of their doctors, home addresses and phone numbers.

"Based on the data involved, we believe there is low risk of harm to affected individuals," NorthShore representatives said in a statement, noting no medical records were breached. "As such, there are no specific actions donors or patients need to take at this time. We are notifying all affected individuals and reminding everyone to regularly monitor personal accounts for any suspicious activity."