The company Blackbaud helps companies in a variety industries manage their customer relationships. Their services include fundraising and relationship management, customer engagement, financial management and related services.
The customers span many industries including arts and culture, faith based organizations, non-profit foundations, healthcare organizations, higher education, change agents and even commercial corporations.
Companies can also install their own copies of the Blackbaud software in their computer computer rooms and data centers instead of in Blackbaud’s data centers. It is this subset of their customers that were compromised and only some of them.
Unfortunately for Blackbaud, among the many companies affected are healthcare providers and since they are HIPAA Covered Entities, they are required to report these breaches to the U.S. Federal Government and they publish the largest of these breaches.
While this breach (which was actually a ransomware attack where the hackers stole the data before encrypting it) happened in May and this is September, we are still hearing about more companies who’s data was compromised, including some who have not yet reported the breach.
Among those companies are:
- Northern Light Health – 657,000 people’s information compromised
- Saint Luke’s Foundation – 360,000 people
- Multicare Health System – 179,000 people
- University of Florida Health – 136,000 people
and others. The total, just in healthcare, so far – more to come – is almost 1.6 million people who’s data was compromised.
This is just ONE VENDOR who serves healthcare that was attacked this year.
Another vendor is Magellan Health which is a managed healthcare provider. That breach affected about 1.7 million people.
Some organizations were affected by both breaches.
And while the Magellan breach likely only affected the healthcare industry and that is where this story is focused, the Blackbaud breach affects every industry.
In the case of healthcare, as is usually the case, who winds up on the short end of the stick is the healthcare providers.
In concept, they did nothing wrong other than trust a provider, a vendor, that maybe they should not have trusted.
These 3+ million people who were affected represent just two compromises and just this year. Many other organizations were independently hacked this year and their numbers are not included.
Again in just 2020 alone and only in healthcare, 345 breaches affected over 11 million . Those are just the ones that were posted to Health and Human Services “wall of shame”.
But fines, if and when the do happen, are typically small and come 5 years or more after the event, when most of the people responsible are no longer there.
So what needs to happen?
First of all, given the current Republican administration, it is unlikely that enforcement is going increase or speed up.
Ultimately, who gets to do the heavy lifting is the companies who hire these vendors. It is the companies’ responsibility to make sure that their vendors secure their data.
There is no rocket science involved. What is involved is
Unfortunately, at least some businesses look at it as a profit and loss decision. If it is perceived to cost more to fix the problems of poor security than than to deal with the consequences, some companies make that financial decision.
But as a company that hires these vendors, you can impact this.
Your vendor CYBER risk management program needs to make sure that these vendors that have access to or store your client’s data are following best security and privacy practices.
You also want to make sure that your contracts with these vendors hold those vendors financially responsible for all of the costs that you bear including lost business and lawsuits, among other costs.
The only way we are going to shift the conversation and have vendors make the needed investments in cybersecurity is if it becomes more costly to be non-secure than secure.
In the case of healthcare, it is easy – it is the law!
If you need help building or enhancing your vendor cyber risk management program, please contact us. Credit: Data Breach Today