HOUSTON – Texas Children’s Hospital is notifying its patients of a data security incident involving one of its vendors, the hospital announced in a release Monday.
Blackbaud, a company that hosts the hospital’s fundraising database, experienced a ransomware attack that involved unauthorized access to its system between Feb. 7 and March 20 of this year, according to TCH officials.
TCH says it was notified by Blackbaud of the breach that also impacted other hospitals and health care systems, on July 16.
“Upon discovery, Blackbaud reports they immediately took steps to stop the ransomware attack and secure their systems,” TCH wrote in a release. “Before the systems were secured, however, the attackers removed a copy of a subset of data relating to many Blackbaud customers, including a backup of the Texas Children’s donor database.”
TCH said Blackbaud paid the attackers a ransom and confirmed that the copied information was destroyed. Blackbaud said it has no reason to believe the attackers have another copy of the hospital’s database or released the data publicly.
As soon as Texas Children’s Hospital was notified, they mailed its patients who were affected by the security incident.
“This incident did not affect all Texas Children’s patient information; rather it was limited to certain fields in the hospital’s fundraising database, and did not involve access to medical systems, electronic health records or financial records. Texas Children’s investigation determined that certain free text fields in the database may have contained certain patients' names, dates of birth, department(s) of service, treating physician, and/or limited clinical information. Importantly, no patients' Social Security Numbers or financial records were involved in this incident," according to a release by the hospital.
A call center is available to answer any questions regarding the security breach at 1-888-604-0161 during business hours, 8 a.m. to 5:30 p.m., Monday-Friday.