Medical College of Wisconsin Notifies Patients of Blackbaud Data Security Incident
Milwaukee, Oct. 9, 2020 – The Medical College of Wisconsin (MCW) recently learned that Blackbaud, a third-party software and service provider used for fundraising and constituent engagement efforts at healthcare organizations, foundations, and non-profits worldwide, was the subject of a data security incident. This incident was widespread and impacted many of Blackbaud’s clients around the world, including certain personal information of MCW patients. MCW takes the security of our patients’ personal information extremely seriously and is notifying affected individuals and providing them with precautionary steps they can take to protect themselves.
On July 16, 2020, Blackbaud informed MCW that it had discovered and stopped a ransomware event that occurred intermittently between February 7, 2020 and May 20, 2020. According to Blackbaud, they paid the threat actor to ensure that the data was permanently destroyed.
Once MCW was informed of the issue, it immediately initiated an internal investigation in partnership with outside experts to determine the impact to its stakeholders and appropriately notify them. On August 19, 2020, it was determined that the information removed by the threat actor contained personal information of some MCW patients, including full names, addresses, dates of birth, phone numbers, medical record numbers, dates of service, and/or treating physician names and specialties. Importantly, this incident does not impact patient Social Security numbers, financial account information, or payment card information. MCW’s electronic health record system was not impacted by this incident.
According to Blackbaud, there is no evidence to suggest that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity. Notified individuals should always remain vigilant in reviewing their financial account and explanation of benefits statements for fraudulent or irregular activity on a regular basis and report any suspicious activity.
MCW deeply regrets any concern or inconvenience this may cause. As an organization committed to not only providing an exceptional patient experience, but to protecting the security of patient information, MCW is taking this incident extremely seriously, and remains committed to reviewing and enhancing its security practices, and that of its third-party partners and providers, on an ongoing basis in accordance with data security best practices.
For more information about this incident, Blackbaud released a public statement acknowledging this event and describing its cybersecurity practices, available at www.blackbaud.com/securityincident. Additionally, MCW has established a dedicated and confidential toll-free response line to respond to questions at 1-877-470-0222. This response line is staffed with professionals familiar with this incident and knowledgeable on what individuals can do to protect their information. The response line is available Monday through Friday, 8 a.m. to 5 p.m. Central Time.
On July 16, 2020, Blackbaud informed MCW that it had discovered and stopped a ransomware event that occurred intermittently between February 7, 2020 and May 20, 2020. According to Blackbaud, they paid the threat actor to ensure that the data was permanently destroyed.
Once MCW was informed of the issue, it immediately initiated an internal investigation in partnership with outside experts to determine the impact to its stakeholders and appropriately notify them. On August 19, 2020, it was determined that the information removed by the threat actor contained personal information of some MCW patients, including full names, addresses, dates of birth, phone numbers, medical record numbers, dates of service, and/or treating physician names and specialties. Importantly, this incident does not impact patient Social Security numbers, financial account information, or payment card information. MCW’s electronic health record system was not impacted by this incident.
According to Blackbaud, there is no evidence to suggest that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicates that it has hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity. Notified individuals should always remain vigilant in reviewing their financial account and explanation of benefits statements for fraudulent or irregular activity on a regular basis and report any suspicious activity.
MCW deeply regrets any concern or inconvenience this may cause. As an organization committed to not only providing an exceptional patient experience, but to protecting the security of patient information, MCW is taking this incident extremely seriously, and remains committed to reviewing and enhancing its security practices, and that of its third-party partners and providers, on an ongoing basis in accordance with data security best practices.
For more information about this incident, Blackbaud released a public statement acknowledging this event and describing its cybersecurity practices, available at www.blackbaud.com/securityincident. Additionally, MCW has established a dedicated and confidential toll-free response line to respond to questions at 1-877-470-0222. This response line is staffed with professionals familiar with this incident and knowledgeable on what individuals can do to protect their information. The response line is available Monday through Friday, 8 a.m. to 5 p.m. Central Time.
Keep up with the latest news. Sign up for Newsroom Alerts.
Latest press releases, stories and resources.
MCW Media Contacts
The media relations team at MCW is happy to assist in coordinating experts for interviews. Please reach out to us at:
media@mcw.edu
(414) 955-8764
Contact us
