Public Notice: Health Insurance Portability and Accountability Act Notification

KANSAS CITY, MO [August 20, 2020] – On July 16, 2020, Saint Luke’s Foundation (“SLF”), a non-profit organization and affiliated foundation of Saint Luke’s Health System (“SLHS”), was notified by one of its third-party vendors, Blackbaud, that it had experienced a security incident potentially involving certain limited information it obtained from SLF. Blackbaud is a widely used constituent relationship management software provider for engagement and fundraising offices in higher education, healthcare, and nonprofits.

Blackbaud informed SLF that it discovered and stopped a ransomware attack, but not before some information may have been compromised. According to information provided to SLF by Blackbaud, the cybercriminal removed a copy of SLF’s backup file for the purpose of extorting funds from Blackbaud. Blackbaud stated that the ransomware attack and data compromise occurred at some point between February 7, 2020 and May 20, 2020. Based on the nature of the incident, their research, and third-party (including law enforcement) investigation, Blackbaud has assured SLF that it has no reason to believe that any data went beyond this cybercriminal or was disseminated or otherwise made available publicly. Blackbaud further stated that it has taken additional steps to ensure that the backup file was permanently deleted.

Blackbaud has informed us that the cybercriminal did not access credit card information, bank account information or social security numbers, as this information was encrypted and stored in a separate backup system from what was compromised. Blackbaud has also informed SLF that the compromised backup file may have contained the following patient information: name, mailing address, email address, telephone number, and/or date of birth. For some patients, additional information may have been included in the compromised backup file, including the name and address of the patient’s guarantor, and possibly limited medical information about the patient, such as date of service and department of care.

As part of its ongoing efforts to help avoid an event like this from happening in the future, Blackbaud has affirmed to SLF that it has already implemented changes to help protect its system from any subsequent incidents. Specifically, Blackbaud has stated that since learning of the issue it has identified the vulnerability associated with this incident, including the tactics used by the cybercriminal, and has taken actions to fix it.

Additionally, Blackbaud has informed SLF that it is accelerating their efforts to further harden their environment through enhancements to access management, network segmentation, deployment of additional endpoint, and network-based platforms. As an additional precautionary measure, Blackbaud has indicated that it has hired a third-party team of experts to monitor the dark web for any further misuse of the data.

Although no Social Security numbers or financial account information were involved, as best practice, it is recommended that those impacted remain vigilant for incidents of fraud and identity theft by reviewing account statements and monitoring credit reports for unauthorized activity.

For further information and assistance, a dedicated toll-free response line is available at 866-977-1133 between 8 a.m. – 8 p.m. Central Time, Monday through Friday. Additional information about this incident can also be found at