Blackbaud Privacy Incident
Notice to Our Patients of a Privacy Incident
UMass Memorial Medical Center (“UMass Memorial”) is committed to protecting the security and privacy of our donors and patients, and all the individuals who support our fundraising efforts. Regrettably, we recently learned of an incident that occurred at one of our vendors, Blackbaud, Inc. (“Blackbaud”), that may have involved some of our data.
Blackbaud is a vendor that provides UMass Memorial with cloud-based data solution services related to our donors and fundraising. On July 16, 2020, Blackbaud informed us it had discovered that an unauthorized individual had gained access to Blackbaud’s systems between February 7, 2020 and May 20, 2020. Blackbaud advised us that the unauthorized individual may have acquired backup copies of databases used by its customers, including a backup of a database we use for fundraising efforts. We immediately took steps to understand the extent of the incident and the data involved.
This incident did not affect all UMass Memorial patient information; rather it was limited to our donor/fundraising database and did not involve any access to medical systems or electronic health records.
Based on our review of the affected database, we have reason to believe that it contained patient names, ages, genders, dates of birth, phone numbers, email addresses, dates of treatment, departments of service, and treating physicians.
Importantly, Blackbaud informed us that the fields dedicated to Social Security numbers, financial account, and credit or debit card information were encrypted, and therefore not able to be accessed by the unauthorized individual.
We want our donors and patients to know that we are taking this matter very seriously. We mailed letters regarding the incident to those patients whose information was contained in the Blackbaud database. We have also established a dedicated call center to answer questions about this incident, which may be contacted for more information at 888-604-0288, Monday through Friday, from 9 am to 6:30 pm Eastern Time.
If you believe you were affected by this incident, we recommend you review the statements you receive from your healthcare providers. If you see services you did not receive or transactions you do not recognize, please contact the provider immediately.
We regret any concern or inconvenience this incident may cause you. To help prevent something like this from happening again, we are examining our vendor relationship with Blackbaud and evaluating their security safeguards.