Public Notice of Blackbaud Data Incident

Posted 9/11/2020

Blackbaud, Inc., an outside vendor of MUSC, experienced a data security incident that may have affected some MUSC constituent data. MUSC takes the protection of personal information very seriously, and as such, we want to share with the public the details that we have received from Blackbaud surrounding this incident.

What happened?

On July 16, 2020, we were notified that Blackbaud, an outside vendor of MUSC, had discovered and stopped a ransomware attack on Blackbaud’s self-hosted platform in May of 2020. Blackbaud is the global market leader in third-party, not-for-profit donor applications used by many charitable organizations in the U.S. and abroad. MUSC first notified the public of this event on August 10, 2020.

What information was involved?

Blackbaud has specifically informed us that the cybercriminal did not access credit card information, bank account information, or social security numbers. According to Blackbaud, the cybercriminal did, however, remove, in as early as February, a copy of a subset of Blackbaud’s customer data. The information removed may have included information used by MUSC for fundraising and donor relations purposes, such as individuals’ names, contact information, demographic information, birth date, relationship and donation profile/history with MUSC, and in some cases limited health information (such as physician name, department visited and/or discharge date). Individual files varied.

Blackbaud paid the cybercriminal’s ransom demand with confirmation that the copy the cybercriminal removed had been destroyed.

Blackbaud does not believe this incident poses any risk to individuals whose information was involved, because, based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly. Blackbaud has hired a third-party team of experts to monitor the dark web as an extra precautionary measure.

What are we doing?

MUSC is reviewing all relevant business practices and procedures regarding the security of your personal data. Notifications have been sent to the last known address as required by law. Blackbaud has reported that it has already implemented numerous security changes. Blackbaud has stated that it quickly identified the vulnerability associated with this incident and took swift action to fix it. Blackbaud has stated that it has confirmed through testing by multiple third parties that Blackbaud’s fix withstands all known attack tactics. Finally, Blackbaud has reported it is further hardening its environment through enhancements to access management and network segmentation, plus deployment of additional endpoint and network-based platforms.

What can you do?

Based on Blackbaud’s notice, this incident is unlikely to result in a risk of harm to individuals, and as such, Blackbaud does not think there is anything more individuals need to do at this time relating to this specific incident.

As always, individuals should maintain the routine personal practice of remaining vigilant to cybercriminal scams, which unfortunately are common occurrences. If suspicious activity is ever detected on personal credit statements, credit reports or financial accounts, the individual affected should promptly report discrepancies to law enforcement authorities, the applicable financial entity, and/or the credit bureaus: Equifax (PO Box 74021, Atlanta, GA 30374; 800-685-1111; www.equifax.com), Experian (PO Box 2002, Allen, TX 75013; 888-397-3742; www.experian.com) or TransUnion (PO Box 1000, Chester, PA 19016; 800-916-8800; www.transunion.com). Personal information and monetary donations should only be provided to verified sources. Additionally, for a free copy of a credit report and guidance on how to protect personal information with fraud alerts and security freezes, individuals may contact the credit bureaus, their State Attorney General, and/or the Federal Trade Commission, 600 Pennsylvania Avenue, NW, Washington, D.C. 20580, 877-IDTHEFT (438-4338), or www.ftc.gov/idtheft. See state specific guidance below.

We sincerely apologize and regret that this situation has occurred. For more information about this incident, kindly consult the Blackbaud website at https://www.blackbaud.com/securityincident. If individuals are concerned they were affected or have additional questions about this incident, they can also call our toll-free number at 877-461-2599 9 a.m. to 6:30 p.m. EST Monday through Friday (excluding major holidays) which will remain open for 90 days.

State Specific Guidance:

For residents of Maryland: You may obtain a copy of your credit report, free of charge, whether or not you suspect any unauthorized activity on your account, using the contact information listed above.

For residents of Rhode Island: You also have the right to place a security freeze on your credit report by contacting any of the credit bureaus listed above.

For residents of Maryland, Rhode Island: You can obtain information from the State Offices of the Attorney General and Federal Trade Commission about fraud alerts, security freezes, and steps you can take toward preventing identity theft.

Maryland Office of the Attorney General
Consumer Protection Division
200 St. Paul Place
Baltimore, MD 21202
888-743-0023
www.oag.state.md.us


Rhode Island Office of the Attorney General
Consumer Protection
150 South Main Street
Providence, RI 02903
401-274-4400
www.riag.ri.gov