Inova Health System reports breach affecting more than 1 million individuals

Inova Health System, a nonprofit healthcare provider based out of Merrifield, Virginia, reported a breach on September 9 affecting 1,045,270 individuals, according to the Office for Civil Rights (OCR) breach portal.

Inova was made aware on July 16 that Blackbaud, a third-party vendor used for fundraising efforts, experienced a wide-reaching security incident that may have exposed the personal information of Inova patients and donors, according to the security notice posted on Inova’s website.

Blackbaud experienced the ransomware attack in May. The company’s investigation concluded that a threat actor accessed and removed data, including information that Blackbaud maintained for Inova, from Blackbaud’s systems between February 7 and May 20. Upon receiving notification of the attack, Inova conducted its own investigation. It determined that the information removed by the threat actor may have contained protected health information (PHI) of some of its patients and donors. The information may have included the following:

• Addresses
• Dates of birth
• Dates of service
• Donation dates and amounts
• Full names
• Hospital departments
• Phone numbers
• Provider names

The information exposed did not include Social Security numbers, financial account information, or credit card/payment information, according to Inova. Additionally, Inova’s electronic health record system was not impacted by the attack.

The accessed data was permanently destroyed and Blackbaud’s vulnerability has since been resolved, according to the Inova security notice.

While Inova does not believe any data will be misused or made publicly available, the company encourages individuals to take steps to protect their information. The preventive measures include placing a fraud alert and/or a security freeze on credit files and obtaining a free credit report.