Patient information from at least two Long Island hospitals was potentially compromised in a May ransomware attack on a third-party software provider, officials said Sunday.
Blackbaud, a fundraising technology provider for nonprofits said on its website that a cybercriminal accessed data from its system during the attack. The Charleston, South Carolina-based company said it booted the cybercriminal from the network before it could lock the company out of its system. It said Social Security numbers, bank account information and credit card numbers were not accessed.
Stony Brook University Hospital and Mount Sinai South Nassau Hospital in Oceanside, which both use the platform, said they received notice of the ransomware attacks on July 17 and 16 respectively.
Stony Brook University Hospital said 175,000 patients were potentially affected. A spokeswoman said the hospital identified those whose data may have been affected.
In a statement on its website, Stony Brook said information may have included patients' names, birth dates, addresses, contact information, attending doctor, insurance provider and medical service department.
"Based on statements from Blackbaud, Stony Brook has no reason to believe that the information involved in this incident has been misused," said Erin Stoeber, Stony Brook Medicine's assistant vice president, marketing and communications, in a statement.
Ransomware is a malware that targets data and systems for extortion and is delivered through targeted phishing emails, according to the FBI. After the user has been locked out of the data or system, there is a demand for payment, the agency said. In some cases the ransomer will threaten to release the information, according to cyber security experts.
Mount Sinai South Nassau Hospital, in a message posted to its website Wednesday, said it immediately started an investigation and on Aug. 28 found the affected data "may have contained personal information."
Blackbaud officials said they worked with independent forensic experts as well as law enforcement.
Blackbaud said in a message posted on its website, "we paid the cybercriminal’s demand with confirmation that the copy they removed had been destroyed."
The company added: "We have no reason to believe that any data went beyond the cybercriminal, was or will be misused; or will be disseminated or otherwise made available publicly."
A data breach expert said it's likely that the ransomers deleted the data, since that's the business model.
"While it’s not ideal that the information has been stolen, and while it’s never ideal to pay a ransom to attackers, Blackbaud is taking concrete steps to try and mitigate what happened. Which is a good move," Mathew Schwartz, Executive Editor of DataBreachToday & Europe wrote in an email. "The nonstop spate of ransomware attacks demonstrates attackers are continuing to get through. What’s egregious about a case such as this, however, is that attackers hit an organization that was cloud-hosting software and data for others, including affected hospitals."
With David M. Schwartz and AP