3 Minnesota hospital systems impacted by data breach of patient information

Children's Minnesota, Regions Hospital, and Gillette Children's are notifying families impacted by a data breach of patient information. It is unclear how many were impacted.

According to a statement, Children's officials learned on July 16 that a security incident happened at Blackbaud, a vendor that provides data services for Children's Minnesota Foundation. Blackbaud discovered an "unauthorized individual" was able to access the system from February 7 to May 20 and may have gotten backup copies of databases used by customers as well as a backup database used by the Foundation for fundraising efforts.

Children's officials believe the impacted Blackbaud database contained the following information: names, addresses, phone numbers, age, dates of birth, gender, medical record numbers, treatment dates, treatment locations, treating doctors and health insurance status

Children's officials say financial information, credit card information and Social Security numbers were not stored in the impacted database. The breach also did not involve access to Children's Minnesota medical or electronic health records systems.

In a release, Regions Hospital officials said a very limited amount of demographic information stored in the Blackbaud database was involved, including names and addresses. Other information for a subset of affected individuals could have included dates of birth, dates of care, names of admitting and attending physicians and departments visited. The breach did not include credit card information, bank account information, social security numbers or medical information, such as diagnosis or treatment plans.

Gillette Children's reported that 1,766 patients were impacted by the incident. In a statement, Gillette Children’s Specialty Healthcare wrote, As a nonprofit organization, Gillette Children's Specialty Healthcare relies on support from Gillette Children’s Hospital Foundation to help fund the health care services, treatment and research that enables us to provide exceptional care to our patients.  Often, people choose to donate to our foundation after they, or their child, have a positive experience with us. We track a limited amount of information in the Blackbaud database so we are able to identify which doctor, or department, someone has interacted with if they would like to direct their gift to a specific program."

"We believe the strength of our cybersecurity practice and advance planning is the reason we were able to shut down this sophisticated ransomware attack," read a statement from Blackbaud. "We have already implemented changes to prevent this specific issue from happening again."

"Children’s Minnesota wants its patients to know that they are taking this matter very seriously," read a statement. "Blackbaud has communicated it has no reason to believe any data was or will be misused, disseminated or otherwise made publicly available."

Children's advises those impacted should review statements from their healthcare providers in case they see any services they did not receive. Those with questions are asked to contact a dedicated call center at (866) 968-0207 from 8:00 a.m. to 5:30 p.m. Monday through Friday.

Moving forward, Children's Minnesota is reviewing Blackbaud's security measures and its arrangement with the vendor.