MultiCare Foundation Addresses Security Incident on Blackbaud Fundraising Platform

MultiCare announced today that it has begun the process to notify about 300,000 affected donors and patients by email or first-class mail due to a security incident experienced by a MultiCare Foundations’ vendor.

On July 16, MultiCare was informed of a worldwide data security incident experienced by Blackbaud Inc. — an engagement and fundraising platform utilized by MultiCare Foundations. The incident affected more than 25,000 nonprofit organizations worldwide. It is important to know that Blackbaud has advised MultiCare that the cybercriminals who attacked Blackbaud did not have access to credit card information, bank account information or social security numbers at any time.

However, the impacted data contains selected information about some of MultiCare’s donors, potential donors, patients and former patients who we believe may want to support our health care mission and others in the community with whom we have relationships. For 126,092 donors, only name, address, telephone number and email address were involved. For 176,677 patients, the personal information involved included demographics, date and department of service, and provider name. For some guarantors, the date of birth, address and date of service may have been included as well. Minor names were not involved.

MultiCare has always held protecting the security and confidentiality of private information as a top priority and deeply regrets that this breach has occurred on its vendor’s platform.

For full details on the incident, as well as MultiCare’s response, please visit our Blackbaud Event page.

Below is the email sent to MultiCare Patients, individually obtained by the Auburn Examiner: 

Subject: Notification about Blackbaud ransomware attack
Body:  Protecting the security and confidentiality of private information is a top priority for everyone at MultiCare Health System. Regrettably, we are writing to inform you about an incident that may have involved some of your information as a MultiCare donor, patient or a former patient.

On July 16, MultiCare was informed of a worldwide data security incident experienced by Blackbaud Inc. – an engagement and fundraising platform utilized by our MultiCare Foundations and more than 25,000 nonprofits worldwide. It’s important to know that Blackbaud has advised MultiCare that the cybercriminals who attacked Blackbaud did not have access to your credit card information, bank account information or social security number at any time.

However, the impacted data contains selected information about some of MultiCare’s donors and potential donors including some patients, former patients and others in the community with whom we have relationships and may want to support our health care mission through philanthropy. The information included: limited demographic information as well as some care information such as provider name, date and department of last service, guarantor name and relationship. For some guarantors, the date of birth, address, and date of service may have been included as well. Minor names were not involved.

We want to assure you that we believe your personal information remains secure. However, as a precautionary measure, we are notifying individuals by email and mail who may have been affected by this incident.

What happened?
Blackbaud informed MultiCare that it had both discovered and stopped a ransomware attack in May 2020, but that a file containing limited data may have been accessed by the attacker. To protect personal customer data, Blackbaud paid the cybercriminal’s ransom with confirmation that the removed copy had been destroyed. Based on the nature of the incident, Blackbaud’s research, and third party (including law enforcement) investigation, Blackbaud has no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly.

Blackbaud has hired cybersecurity experts to monitor the web for any potential emergence of this data and has ensured MultiCare that this monitoring will continue. You can read the full statement from Blackbaud about the incident at blackbaud.com/securityincident.

How is MultiCare responding?
Since being notified, MultiCare has been working closely with Blackbaud to fully understand what information was compromised and to review Blackbaud’s compliance and security strategy to ensure our data will continue to be protected. We are also notifying anyone we believe to be potentially impacted by this security incident to be transparent and reassure you that we remain committed to protecting your personal information. You can learn more about our response and also read our Privacy Practices at multicare.org/blackbaud-event.

What do you need to do?
No credit card, bank account, or social security numbers were compromised. However, we would suggest as a best practice that you regularly review your account statements and credit reports closely and report any suspicious activities.

For your convenience, the contact information for the three major credit agencies is below:

• Equifax: www.equifax.com or call 800-685-1111
• Experian: www.experian.com or call 888-397-3742
• Transunion: www.transunion.com or call 888-909-8872

Sincerely,We again regret that this situation has occurred, and we value our relationship with you. If you have any questions or concerns regarding this matter, or wish to confirm your direct impact, please contact our Privacy Office at 800-920-1477 Monday through Friday from 7:30am-4:00pm Pacific Standard Time or email compliance@multicare.org at any time.

Monica Freedle
Director, Privacy and Civil Rights
MultiCare Health System