SCL Health Medical Group announced on Sept. 10 a data breach of patient information that occurred earlier this year, including personal information of patients at three Montana hospitals.
One of SCL Health’s third-party service providers, Blackbaud Inc., notified SCL Health on July 16 that an “unauthorized individual” gained access to Blackbaud systems that contain patient information between Feb. 7 and May 20. Blackbaud is a cloud-based software company that provides customer relationship management and financial services tools to various companies and organizations, according to a notice to SCL Health patients on St. Vincent Healthcare’s website.
SCL Health operates St. Vincent Healthcare in Billings, St. James Healthcare in Butte, Holy Rosary Healthcare in Miles City, and other facilities and clinics in Montana, along with others in Colorado and Kansas.
“SCL Health mailed letters regarding the incident to those whose information was contained in the Blackbaud database on September 10, 2020,” according to the website notice. Notices were also issued to anyone who may have possibly been impacted, according to a statement from SCL Health vice president of communications Nikki Sloup.
The information that may have been accessed includes patient names, dates of birth, addresses, phone numbers, email addresses, admission dates, hospital locations, service locations and treatment providers.
Encrypted information, like social security numbers, financial accounts and credit card information stored in Blackbaud was not accessed after a forensic investigation was conducted by the company, Sloup said. The incident did not involve any access to medical system or electronic health records.
When asked why patients weren't promptly notified of the data breach, Sloup said that SCL Health, working in partnership with Blackbaud on its investigation, took time to establish a "clear understanding of the information and potential people impacted."
"Thousands of nonprofit organizations who work with Blackbaud were impacted by the breach, and SCL Health has been among the early groups to issue communications to anyone potentially impacted," Sloup said.
SCL Health launched its own investigation and notified patients via mailed letters, postings on related websites and through media advisories "in the states where individuals may have been impacted," according to Sloup. The U.S. Office of Civil Rights has also been informed of the breach.
“At this time, there is no evidence that personal information involved in the incident has been misused,” Sloup said. "However, we recommend patients remain vigilant and review the statements you receive from your health care providers."
Patients who notice payments for services that they have not received are encouraged to contact their provider.
SCL Health is evaluating its relationship with Blackbaud and is “closely monitoring its continued updates and the security measures it implemented in response to the incident.”
“Blackbaud has informed SCL Health that it identified and fixed the vulnerability associated with this incident, implemented several changes that will better protect data stored in their system, and is undertaking additional efforts to harden its environment through enhancements to access management, network segmentation, and deployment of additional endpoint and network-based platforms,” Sloup said.
Sloup references that cybersecurity threats are prevalent and have impacted many companies, organizations and governmental bodies. SCL Health encrypts all sensitive information like social security numbers, bank account information and more, and were inaccessible when the incident occurred.
"Currently SCL Health is reviewing its processes regarding cyber risks presented by third party vendors," Sloup said. "SCL Health has teams and robust resources dedicated to the safety and security of our data and information."
When asked how patients have responded to the incident, Sloup said that they've been very understanding once they "had the assurance and understanding that there was very low risk due to the limited amount of information and type of information that was compromised."