The Blackbaud breach has been the subject of headlines for weeks, and Geisinger was one of their clients. Geisinger recently announced that the Blackbaud breach affected 86,412 of the healthcare organization’s patients. More details on the Blackbaud breach and Geisinger are discussed below.
Blackbaud Breach Claims 6.3 Million Victims
Before we discuss what happened with Geisinger, it is important to understand how Geisinger’s patient information was compromised.
Blackbaud is a cloud software provider with a large client base in the healthcare space, one of which was Geisinger. The Blackbaud breach began when hackers accessed one of the organization’s databases, allowing them to access the sensitive information of several of Blackbaud’s clients. The hacking incident, which went undiscovered for over a month, affected 6.3 million individuals thus far. The types of information exposed varied by client including names, contact details, some Social Security numbers, and other sensitive information.
Many of these victims are HIPAA covered entities including:
Inova Health System: 1 million individuals
Children’s Hospital of Pittsburgh Foundation, Saint Luke’s Foundation: 360,212 individuals
MultiCare Foundation: 179,189 are patients (300,000 total individuals)
Main Line Health: 60,595 individuals
Spectrum Health: 52,711 individuals
Northwestern Memorial HealthCare: 55,983 individuals
Geisinger: 86,412 individuals
Lawrence + Memorial Hospital: 21,617 individuals
Presbyterian Health Services: 193,223 individuals
Sisters of Charity of St. Augustine Health System: 118,874 individuals
The Blackbaud breach is classified as a ransomware attack as hackers stole Blackbaud’s data, demanding ransom for its return. Blackbaud has admitted that they paid the ransom to regain controls of their client’s data.
Blackbaud Breach: Impact on Geisinger
The Blackbaud breach affected 86,412 of Geisinger’s patients. Information compromised included names, dates of birth, ages, dates of treatment, gender, departments of service, treating physicians, and medical record numbers. Luckily no Social Security numbers or financial information were contained in the Geisinger database that was accessed.
Jonathan Friesen, Geisinger’s Chief Privacy Officer commented on the incident, “At Geisinger, we take our patients’ privacy incredibly seriously and we are here to help anyone who may have questions or concerns about this incident. To help prevent something like this from happening again, we are reviewing what information is stored at Blackbaud and its proposed security enhancements.”
Vetting Vendors and Business Associate Agreements
Since Blackbaud manages databases containing protected health information on behalf of their covered entity clients, they are considered a business associate under HIPAA. As a business associate, they are required to be HIPAA compliant. It is the responsibility of healthcare organizations to vet business associates (BAs) and have signed business associates agreements (BAAs) with BAs before working with them.
When a healthcare organization fails to vet vendors or have a signed BAA with their BAs prior to working with them, they are liable if the BA should experience a breach affecting PHI data. This is not to say that Blackbaud isn’t HIPAA compliant, or that their healthcare entity clients failed to vet them and have signed BAAs. However, covered entities affected by the Blackbaud breach that did not do so will be held liable for the Blackbaud breach and may be subject to HIPAA fines and/or corrective action plans.