Froedtert & the Medical College of Wisconsin Community Physicians, Inc. (“Community Physicians”) is committed to protecting the security and privacy of our patients’ information. Regrettably, we recently learned of a data security incident that occurred at a third-party service provider, Blackbaud, Inc. (“Blackbaud”), that may have involved some patient information.
Blackbaud is a software and service provider used for fundraising and other services. On July 16, 2020, Blackbaud began notifying its customers of the data security incident. Blackbaud reported that it had identified an attempted ransomware attack in progress. Blackbaud informed its customers that it stopped the ransomware attack and engaged forensic experts to assist in its internal investigation. According to Blackbaud, some data from its systems was removed between Feb. 7, 2020 and May 20, 2020. However, Blackbaud stated it paid to ensure that the data was permanently destroyed.
On Aug. 19, 2020, our investigation determined that the data removed from Blackbaud may have contained some patient information related to services our patients received at Community Physicians, including patient names, addresses, provider names, dates of service and also, in some instances, medical record numbers and dates of birth.
Social Security numbers and financial and credit card account information are NOT stored in the affected Blackbaud database, so that information was NOT involved in this incident.
Blackbaud confirmed that they closed the vulnerability that allowed the incident to occur and that they are enhancing their security controls and conducting ongoing efforts to protect against incidents like this in the future. According to Blackbaud, there is no evidence to indicate that any data will be misused, disseminated, or otherwise made publicly available. Blackbaud indicated that it hired a third-party team of experts, including a team of forensics accountants, to continue monitoring for any such activity.
We want our patients to know that we are taking this matter very seriously. The security of patient information is a top priority for us and we sincerely apologize for any inconvenience this may cause. We mailed letters on October 9, 2020 regarding the incident to those whose information may have been involved. We have also established a dedicated call center to answer questions about this incident. Those seeking additional information may call 833-689-1141 between 8:00 a.m. to 6:00 p.m. CST Monday through Friday.
For affected patients, we recommend that you review statements you receive from us. If you see any services you did not receive, please contact us immediately. To help prevent something like this from happening again, we are evaluating the security practices of Blackbaud and the use of Blackbaud in connection with fundraising activities in the future.