Notice to Our Patients of a Privacy Incident at Blackbaud

Texas Children’s Hospital values the privacy and confidentiality of our patients’ information. We want to advise you of a recent incident that occurred at one of our vendors, Blackbaud, that may have involved information for certain patients.

Texas Children’s is one of thousands of hospitals, health care systems and other nonprofit organizations that were affected by a security incident at Blackbaud, the company that hosts our fundraising database. On July 16, 2020, Blackbaud informed Texas Children’s that they experienced a ransomware attack involving unauthorized access to their systems between February 7 and March 20, 2020. Upon discovery, Blackbaud reports that they immediately took steps to stop the ransomware attack and secure their systems. Before the systems were secured, however, the attackers removed a copy of a subset of data relating to many Blackbaud customers, including a backup of the hospital’s donor database. The attackers demanded a ransom in return for destroying the information they had stolen, which Blackbaud paid with confirmation that the copy was destroyed. According to Blackbaud, based on the nature of the incident, their research and law enforcement’s investigation, they have no evidence or reason to believe that the attackers maintained a copy of the Texas Children’s database, or publicly released any of the data. 

When Texas Children’s received Blackbaud’s notification, we immediately initiated an investigation to understand the nature and extent of the incident, and the data that was contained in the backup database. Our investigation determined that certain free text fields in the database may have contained certain patients’ names, dates of birth, department(s) of service, treating physician, and/or limited clinical information. This incident did not affect all of our patient information; rather it was limited to certain fields in our fundraising database, and did not involve access to medical systems, electronic health records or financial records. Importantly, no patients’ Social Security Numbers or financial information were involved in this incident.  

We mailed letters regarding the incident to those patients whose information was contained in the Blackbaud database on September 14, 2020 and also established a dedicated call center to answer any questions about this incident. Patients with questions can call 1-888-604-0161, Monday through Friday, 8 a.m. to 5:30 p.m. central time excluding major U.S. holidays.

We recommend that patients review the statements they receive from their health care providers. Patients should contact their providers if they see services they did not receive.

Texas Children’s regrets any concern or inconvenience this incident may cause our patients. We take this incident very seriously and we are taking steps to reduce the risk of an incident like this happening again. While Blackbaud advised us that they fully resolved the vulnerability in their systems associated with the incident and implemented additional security measures, our Information Technology team is carefully reviewing Blackbaud’s security enhancements to ensure they are sufficient and all necessary steps are taken to protect Texas Children’s information. We are also reviewing our policies, procedures and systems to enhance the security of information contained in our database.