hospital donors impacted by data breach
3rd party vendor, Blackbaud, notifies hospital of security breach
At Dayton Children’s safety is our number one priority. That is why we have notified our valued donors of a cybersecurity incident involving a third-party computing company, Blackbaud, that Dayton Children’s Hospital Foundation uses to manage donor information.
Based in South Carolina, Blackbaud is a cloud-based fundraising software company and one of the world’s largest providers of customer relationship management systems for non-profit organizations. Blackbaud informed Dayton Children's recently that they had been the victim of a ransomware attack in May 2020. The cybercriminal was able to remove a copy of a subset of data from hundreds of their clients. This included a subset of Dayton Children’s Hospital Foundation donor information.
"We want to first and foremost communicate to donors that, based on current information known to us, the incident does not appear to involve credit card information, bank account information or social security number. This data is encrypted," says Jena Pado, CFRE, executive director, Foundation.
The data accessed during the cyberattack is believed to be unencrypted information, which may have contained donor contact information, demographic information, and a history of their relationship with the foundation, including donation dates and amounts.
Blackbaud has informed us that they do not believe that the information accessed by the cybercriminal has been used or disseminated.
However, such information could be used in phishing attempts — emails designed to trick recipients into giving up information such as passwords and usernames. If anyone receives an email from Dayton Children's asking for a donation* that seems suspicious, please contact us immediately.
"As a best practice, we recommend you remain vigilant and promptly report any suspicious activity or suspected identify theft to your local law enforcement authorities," says Pado. "This may include email messages with poor grammar or asking you to go to a site that is not linked to our website."
For more information on staying safe from phishing attempts please visit our website at https://www.childrensdayton.org/internet-safety.
Donors who received an email and/or letter notification from Dayton Children's in regard to this breach do not need to take action. Hospital representatives are in communication with Blackbaud on its efforts to enhance its cybersecurity to prevent any future attacks. Blackbaud is continuing to review matters related to this cyberattack and, if additional relevant information is forthcoming from Blackbaud pertaining to their findings and private donor information, there may be further communication. As we continue to monitor this situation, we will let our constituents know if anything materially changes.
We are happy to answer your questions regarding this matter. Please contact us at 937-641-3405 or at BlackbaudQuestions@childrensdayton.org.
"We sincerely apologize that this incident occurred," says Pado. "We know how scary these types of attacks can be and we want you to know that we take your safety, including your data protection and privacy, as seriously as we do the safety of our patients. As always, we value your partnership and contributions to Dayton Children’s."
*Please note that the hospital does regularly send emails asking for donations; however, these will always come from a "childrensdayton.org" email address and link to secure donation forms.