Privacy Officer's Roundtable

Blackbaud

  • 1.  Blackbaud

    Posted 07-17-2020 08:20 AM
    There may already be a string about this, but we recently received notification of a ransomware attack on Blackbaud, and am wondering how other organizations are handling and whether it has been determined to be a reportable breach.  Representations from the Blackbaud seems somewhat reassuring, but we are trying to obtain more specific information.

    Any thoughts/input would be most appreciated.

    Steve Day

    ------------------------------
    Steve Day
    Counsel, Director of Risk, and Privacy Officer
    Doylestown Hospital
    Doylestown,PA
    ------------------------------
    2020 SCCE Membership


  • 2.  RE: Blackbaud

    Posted 07-17-2020 08:34 AM
    Steve,

    I recall reading this notice and also how it was carefully crafted...which makes me think, if Blackbaud was my business associate I would want confirmation from Blackbaud on whether ANY of the PHI or ePHI that Blackbaud creates, receives, maintains, or transmits on my behalf was accessed, acquired, used, or disclosed by the involved cybercriminals.  Keep in mind that this may or may not include the "subset of data" that was mentioned in the notice (which I have heard from others, unconfirmed, was not secured as it was not encrypted).

    That's where I would start.  If the answer is yes...then you have more work cut out for you as at that time you then have a presumed breach and the notifications are triggered.  If not, then you (or your BA) do not have an "impermissible" on your hands and therefore no breach.

    ------------------------------
    -------------Frank "Snake Bite Leader" Ruelas--------------
    ► We don't fail unless we quit! ◄
    Bill Wong's Resource Folder: https://bit.ly/BillWong
    NEXT UP:
    Stay tuned...

    ░ Pass the Exam Group for 2020 ░
    Melissa Singleton - Jan - CHPC
    Julie Clutter - Jan - CHPC
    Tanisha Grant - Feb - CHC
    Lisa Bibby - Jan - CHPC
    Kelly Puida - Mar - CHPC
    Christina Serrano - Mar - CHC
    Rachel Anderson - May - CHC
    Melissa Alexander - June - CHC
    Theresa Veazey - June - CHC
    Barbara Zubeck - June - CHPC
    Patricia Radatz - June - CHC
    Anthony Fleming - July - CHC
    Laura Chaney - July - CHC
    ------------------------------

    2020 SCCE Membership


  • 3.  RE: Blackbaud

    Posted 07-17-2020 08:36 AM
    Thank you so much Frank!  Anxious to hear others' thoughts as well!

    Steve

    ------------------------------
    Steve Day
    Counsel, Director of Risk and Privacy Officer
    Doylestown Hospital
    Doylestown,PA
    ------------------------------

    2020 SCCE Membership