Blackbaud incident
VCU Health Community Memorial Hospital is proud of the trust and support that our friends and donors
show the health system. We are committed to transparency, honesty and the protection of the personal
data that we maintain. On July 16, the CMH learned of a global data security incident at Blackbaud.
Blackbaud is a vendor that provides data hosting services globally for hundreds of universities and
nonprofits. CMH uses Blackbaud-hosted services for our development and donor relations activities and
is one of many nonprofits affected by this incident worldwide.
The information compromised during this incident was primarily demographic in nature: name, address,
contact information, and philanthropic giving history. It is important to point out that CMH does not
store any credit card information, bank account information or Social Security numbers in this database,
so this information was not compromised in any way. CMH does not believe the information involved in
this incident can be used for identity theft or financial fraud.
Based on the nature of the incident, the research performed by the service provider and third-party and
FBI investigators, Blackbaud has stated there is no reason to believe any data involved in the breach
went beyond the cybercriminals; was or will be misused; or will be disseminated or otherwise made
available publicly. Blackbaud has hired a third-party team of experts to continue indefinite monitoring
for any such activity.
Based on the facts known to date, we do not believe you need to take any additional safeguards for your
information. As a best practice, we recommend that you remain vigilant and promptly report any
suspicious activity or suspected identity theft to the proper law enforcement authorities.
We very much hope you receive this update in the transparent spirit it was drafted, and we regret any
worry or other inconvenience the Blackbaud data breach might have caused. If you have any questions
or concerns, please visit Blackbaud’s notice or contact us at cmhfoundation@vcuhealth.org or (434) 447-0855.
FAQ
What is CMH’s relationship with Blackbaud?
CMH has contracted with Blackbaud, for donor relationship management services. This system is used to
record engagement by the Foundation with members of the CMH community.
What exactly happened in this incident?
Blackbaud discovered and stopped a ransomware attack involving many of its clients, including CMH.
After discovering the attack, Blackbaud’s cybersecurity team, together with independent forensics
experts and law enforcement (including the FBI), blocked the cybercriminals from doing additional
damage. The cybercriminals, however, successfully removed a back-up copy of files containing some
personal information of our donors. Blackbaud paid the cybercriminal a ransom to ensure the backup
file was permanently destroyed. This breach occurred no earlier than Feb. 7, with the cybercriminals
possibly accessing data intermittently until May 20. Read Blackbaud’s notice for more specifics.
What personal data was compromised?
The files accessed contained the following data fields, but this data was not obtained for every person in
the database:
- Demographic details such as name
- Addresses and contact details such as phone, email and LinkedIn profile URL
- A record of your engagement with the Foundation and fundraising activities, such as event participation, volunteer service, donations and any other interactions you have with the Foundation
- Information about your interests you have provided to CMH
Was my credit card, bank account or social security number stolen?
No. CMH does not store bank account or social security information with Blackbaud. If you have made a
credit card or ACH transaction with the Foundation, the payment processing vendor, authorize.net,
stores that information for a period of time before the data is deleted. If you have authorized a recurring
payments, the information is securely stored for the period of that commitment.
Am I at increased risk for identity theft because of this incident?
No. Because VCU does not collect data elements needed for identity theft and financial information is
not stored by Blackbaud, this incident will not elevate your risk of becoming a victim of identity theft.
We do advise, however, that our constituents follow best practices in protecting their identity, such as
monitoring of the annual free credit report at www.annualcreditreport.com/.
What steps has Blackbaud taken to prevent this from happening again?
Over the past five years, Blackbaud has built a substantial cybersecurity practice with a dedicated team
of professionals. Independent reviewers have evaluated the program and determined that it exceeds
benchmarks for both the financial and technology sectors. Blackbaud follows industry-standard best
practices, conducts ongoing risk assessments, aggressively tests the security of its solutions and
continually assesses its infrastructure.
How do I check and report any credit oddities?
We encourage you check and report any oddities on your credit report to one of these agencies:
- Experian (888) 397-3742
- Equifax (800) 685-1111
- TransUnion (888) 909-8872
- Innovis (800) 540-2505