訪問我們的中文網站 Find a Doctor
Free Physician Referral888.388.2838

Notice of Vendor Data Security Incident to Our Patients and Donors

Nov 18, 2020

At USC Arcadia Hospital (“USC Arcadia Hospital”), we take our responsibility to maintain the privacy and security of our patients’ personal information very seriously. Regrettably, we have learned that MHSC is one of hundreds of hospitals, healthcare systems, and other nonprofit organizations, including several in California, to be affected by a security event at Blackbaud Inc., a well-respected provider of cloud and data services for charitable organizations.

What Happened?

The USC Arcadia Hospital Foundation (the “Foundation”) is a nonprofit corporation that is organized to fund charitable funds for the benefit of USC Arcadia Hospital. In accordance with our policies and procedures, and as described in our Notice of Privacy Practices provided to our patients (found on our website at: https://www.methodisthospital.org/For-Patients-Visitors/Notice-of-Privacy-Practices.aspx), USC Arcadia Hospital provides limited information about our patients to our Foundation, which contracts with Blackbaud to host the Foundation’s fundraising databases.

On September 9, 2020, we were notified by the Foundation that Blackbaud discovered and stopped a ransomware attack that included our Foundation’s donor database, as well as those of many other nonprofit organizations. The ransomware attack occurred between February and May 2020, but Blackbaud and the Foundation took time to determine which organizations were impacted before we were notified of the attack.

In its investigation, Blackbaud stated that its cybersecurity team — together with independent forensics experts and law enforcement — successfully prevented the cybercriminal from blocking Blackbaud’s system access. Blackbaud ultimately expelled the cybercriminal from its system. Prior to locking the cybercriminal out, however, the cybercriminal removed a copy of a backup file containing some information about our patients. Blackbaud stated that they paid the ransom and received confirmation that the cybercriminal had destroyed the copy of the data removed from the system.

What Information Was Involved?

The information we had provided to the Foundation, which was copied and, presumably, destroyed by the cybercriminal may have included patients’:

  • full name;
  • contact information, such as telephone numbers, email address, and mailing address;
  • demographic information, such as date of birth and sex; and
  • Medical record number and possibly admission date.

We had not provided any other health information, such as insurance information or Social Security number, to the Foundation.

Based on the nature of the incident, Blackbaud’s research, and third-party (including law enforcement) investigation, Blackbaud has assured us that it has no reason to believe that any data went beyond this cybercriminal or was disseminated or otherwise made available publicly. Blackbaud further stated that they have taken additional steps to ensure that the backup file was permanently deleted.

What We Are Doing

Blackbaud has taken several steps in response to this incident. As part of its ongoing efforts to help avoid an event like this from happening in the future, Blackbaud has informed us that it has implemented changes to help protect its system from any future incidents. Since learning of the issue, Blackbaud identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix it. Additionally, Blackbaud is accelerating its efforts to further improve its systems through enhancements to access management, network segmentation, and other network-based platforms. As an additional safety measure, Blackbaud has indicated that it has hired a third-party team of experts to monitor the dark web for any further misuse of the data.

In response to Blackbaud’s notification, USC Arcadia Hospital initiated a full investigation once the incident was identified and has taken the necessary steps to prevent a similar event from occurring again, including reviewing and minimizing the sensitive data elements that are provided to the Foundation and/or Blackbaud. In addition, we have reported this incident to the California Department of Public Health.

What Our Patients Can Do

We want to emphasize again that Blackbaud has assured us that noSocial Security numbers, credit cards, bank accounts or other information of that nature were compromised. However, we recommend our patients remain attentive by reviewing their account statements and credit reports closely and reporting any suspicious activities.

Our Commitment to Our Patients

While data security incidents and ransomware attacks are unfortunately becoming more common, this is not something USC Arcadia Hospital ever wants to happen to our valued patients. Your privacy is of utmost importance to us. We very much regret the inconvenience that this incident may have caused. Please be assured that we take data protection very seriously and are grateful for the continued support of our vital mission to deliver world-class care to our patients.

If you have any other questions, please contact us via one of the methods below:

Categories: News & Press Releases