UF Health, in a letter to its customers, announced a data breach incident that occurred through a software contractor. In its letter, UF Health writes:
As a precautionary measure, we are notifying our customers about a data security incident involving UF Health data.
UF Health values its customers and respects the privacy and security of your information. As a precautionary measure, we are notifying our customers about a data security incident involving Blackbaud, a company which contracts with UF Health. Blackbaud was recently the victim of a ransomware attack, which may have affected certain UF Health data hosted by Blackbaud. While we believe the risk to our customers is low, we are committed to transparency and being in full compliance with the rules and laws that govern the confidentiality of your information.
It is important to note that Blackbaud reported it has no reason to believe that any data was or will be misused, or will be disseminated or otherwise made publicly available. Further, the data security incident does not involve credit card details, banking information, Social Security numbers, medical record numbers, clinical or diagnosis information, or other highly sensitive information. UF Health did not share that information with Blackbaud and, therefore, it was not involved in the data security incident.
The below summary includes additional details of this incident.
On July 16, 2020, UF Health was notified of a security incident involving data hosted by Blackbaud, a company that provides software tools and management resources to UF Health, as well as many other health care organizations, colleges and universities, and nonprofit corporations in the state of Florida, around the nation, and the world. In May 2020, Blackbaud discovered that cybercriminals had potentially been in their systems since February 2020 and were able to access a subset of data from a number of their clients, including UF Health.
What information was involved?
This incident does not involve highly sensitive personal, financial, or clinical information; however, our research into this incident has revealed that some demographic information (such as names, addresses, phone numbers, and e-mail addresses) was included. Additionally, dates of birth, physician names, and visit location information may have also been included.
Blackbaud reported that they met the ransom demands made by the cybercriminal and were provided with assurances that the data was destroyed. As emphasized above, Blackbaud has shared that, based on their research and investigations by law enforcement and forensic security firms, it has no reason to believe that any data was or will be misused, or will be disseminated or otherwise made publicly available.
What have we done?
Upon learning of this incident from Blackbaud on July 16, UF Health immediately began an investigation to understand whether any data was compromised and assess the impact, if any, to our customers, determine additional security measures being taken by Blackbaud, coordinate with our peers and Blackbaud, and understand why there was a delay between finding the breach and notifying UF Health and their other customers. UF Health has hired an independent data breach and identity services recovery expert to assist us on the next appropriate steps, and we have established required and necessary communications to our customers and regulatory officials.
What can you do?
It is a best practice to regularly monitor and review your personal accounts and credit information to protect against any unwanted activity and the potential for identity theft. While we would like to reiterate that we believe the risks associated with this incident are low, we are also here to help. We have set up an informational website for access to current information and a call center with interactive voice response and live agents to provide additional information and address any questions or concerns you may have.
Where can I get more information?
In addition to this website communication, you may also receive a written notification sent via first class mail. The written notification letter will include a toll-free phone number and a link to a website where our customers can obtain more information about the data security incident and receive additional information on resources available to you. If you would like to speak with someone about this incident, please do not hesitate to contact us at firstname.lastname@example.org.
We regret this has taken place and apologize for any concern this may have caused you. We take your privacy very seriously, and we will continue to work diligently to protect your personal information.