Notice to SCL Health Patients of Blackbaud Related Privacy Incident
SCL Health is committed to protecting the security and privacy of our patients. Recently we learned of an incident that occurred at one of our vendors, Blackbaud, Inc. (“Blackbaud”), that may have involved data relating to some current or past patients of certain SCL Health Colorado, Montana and Kansas locations.
On July 16, 2020, SCL Health received notice of an incident from Blackbaud, a cloud-based software company that provides customer relationship management and financial services tools to thousands of schools, non-profits and hospitals, including SCL Health. The Blackbaud notice stated that an unauthorized individual had gained access to Blackbaud’s systems between February 7 and May 20, 2020. Blackbaud advised us that the unauthorized individual may have acquired backups of its customers’ databases, including the customer relationship management database used by SCL Health. We immediately took steps to understand the extent of the incident and the data involved.
Based on SCL Health’s review of the affected database, we have reason to believe it may have contained information relating to some of patients, including patient names, dates of birth, address and contact details (such as phone number and e-mail address), admission date, hospital location, service location, and/or treatment provider.
Blackbaud informed SCL Health that it conducted a forensic investigation in partnership with third-party cybersecurity experts. Blackbaud has confirmed that the investigation found that no encrypted information was impacted, which means that, any Social Security Numbers,financial account or credit card information stored in Blackbaud was encrypted and therefore was NOT accessible. Also, this incident did NOT involve any access to our medical systems or electronic health records.
The incident may have impacted some current and past patients of the following SCL Health locations:
Good Samaritan Medical Center
Lutheran Medical Center
Platte Valley Medical Center
Saint Joseph Hospital
St. Mary's Medical Center
SCL Health Medical Group Clinics
SCL Home Health
Holy Rosary Healthcare
St. Vincent Healthcare
St. James Healthcare
SCL Health Medical Group Clinics
University of Kansas Medical Center - St. Francis Campus (formerly St. Francis Health), a care site formerly owned by SCL Health.
At this time, there is no evidence that personal information involved in the incident has been misused. However, for any affected patients, we recommend you remain vigilant and review the statements you receive from your healthcare providers. If you see services you did not receive, please contact the provider that issued the statement immediately.
Blackbaud has informed SCL Health that it identified and fixed the vulnerability associated with this incident, implemented several changes that will better protect data stored in their system, and is undertaking additional efforts to harden its environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms. To help prevent something like this from happening again, SCL Health is evaluating its relationship with Blackbaud and closely monitoring its continued updates and the security measures it implemented in response to the incident.
We very much regret any inconvenience the Blackbaud incident may have caused and want our patients to know we take their privacy and security very seriously. SCL Health mailed letters regarding the incident to those whose information was contained in the Blackbaud database on September 10, 2020. We have also established a dedicated call center to answer any questions about this incident, at toll free phone number 866-968-0158, Monday through Friday, 7 am - 4:30 pm Mountain Time.