Blackbaud Data Security Incident
On July 16, 2020, we received notification that Blackbaud, a third-party donor and fundraising management services provider used by Children’s Healthcare of Atlanta as well as many other educational institutions and not-for-profit organizations, had been a victim of a ransomware attack in May 2020.
According to Blackbaud, sensitive personal information, such as Social Security numbers, bank account and credit card data, was not impacted as a result of the event.
The cybercriminals were, however, able to remove and copy a subset of data from Blackbaud’s clients, including Children’s, prior to the discovery and subsequent removal of the cybercriminal from the system. This incident may have resulted in unauthorized access to certain information maintained by Blackbaud about you or your business, including your name, addresses, phone numbers, birthdates and donor profile information. Blackbaud indicated they do not believe this information was disseminated or made public.
We take the protection of our donors’ information seriously and we have taken immediate steps to investigate this matter. We are notifying you of the incident so you are aware and can remain vigilant to promptly report any suspicious activity to Children’s and the proper law enforcement authorities.
Thank you for your support of Children’s. When donating to Children’s, please be sure that any web sites are authentic (give.choa.org or choa.org). Further information, FAQs, and updates on this incident are below.
Please feel free to email C.J. Drymon or call (404) 785-0667 if you would like a Children’s representative to contact you.
Interim President, Children’s Healthcare of Atlanta Foundation
Donna Hyland, CEO and President, Children’s Healthcare of Atlanta
Mark Chancy, Chairman, Children's Healthcare of Atlanta Foundation Board
Blackbaud data security incident FAQs
1. What happened?
On July 16, 2020, a third-party vendor, Blackbaud, informed the Children's Healthcare of Atlanta Foundation that Blackbaud suffered a ransomware attack in May 2020, which may have resulted in unauthorized access to certain information maintained by Blackbaud. Upon learning of this event, Children's immediately commenced an investigation to determine what, if any, Children's Healthcare of Atlanta Foundation data was impacted. Please know that we take this incident and the security of our donors’ information very seriously. We are diligently working to determine the full nature and scope of this incident, as well as confirm whether and what Foundation data may be involved.
2. When did Children's Healthcare of Atlanta Foundation discover that this happened?
On July 16, 2020, our third-party vendor, Blackbaud, informed us that it experienced an attempted ransomware attack in May 2020. We immediately began an investigation to determine how this incident impacts the Children's Healthcare of Atlanta Foundation, and our investigation is ongoing. Please know we take the security of information very seriously and are diligently working to learn more about this incident.
3. Who is Blackbaud and do they have my personal information?
Blackbaud is a cloud-computing provider that offers customer relationship management and financial services tools, focusing on the non-profit sector. The Children's Healthcare of Atlanta Foundation uses Blackbaud primarily for these services, including front-end fundraiser analytics, benchmarking, and prospect screening analytics. While Blackbaud does store certain Children's Healthcare of Atlanta Foundation information, we are currently working to confirm what, if any, of this information was impacted by Blackbaud’s ransomware event.
4. What information of mine was potentially accessed?
The Children's Healthcare of Atlanta Foundation is actively investigating what, if any, information was potentially impacted by Blackbaud’s ransomware event. While our investigation is ongoing, to date, Blackbaud advised that no credit card information was included in the impacted files, and that no bank account information, usernames, passwords or Social Security numbers were accessible to the unauthorized actor. Moreover, Social Security numbers are not stored by the Children's Healthcare of Atlanta Foundation in this system.
The Children's Healthcare of Atlanta Foundation understands, however, from the information provided by Blackbaud, that certain financial-giving records were included among the data potentially impacted by the recent incident. Such records could include donors’ names, physical addresses, phone numbers, birthdates, and donor profile information, such as donors’ real estate asset holdings, or giving history. We continue to investigate this incident and can provide additional updates as necessary.
5. What is Children's Healthcare of Atlanta Foundation doing to prevent this from happening again?
The Foundation is currently investigating the nature and scope of this incident and will work with Blackbaud to evaluate additional measures and safeguards to protect against this type of incident in the future.
6. Why did it take so long to notify me?
The Children's Healthcare of Atlanta Foundation continues to seek information from Blackbaud regarding its investigation and response to this incident, including why the Children's Healthcare of Atlanta Foundation and other customers were not notified sooner. However, upon receiving initial notification from Blackbaud on July 16, 2020, the Children's Healthcare of Atlanta Foundation immediately responded and launched an investigation to determine the extent to which Children's Healthcare of Atlanta Foundation data may be impacted. Our initial investigation and response efforts were required to ensure the accuracy of the information provided to you. The Children's Healthcare of Atlanta Foundation then moved to notify those whose information may be impacted. Update (July 29, 2020): Blackbaud was advised by law enforcement not to begin notifying customers of the incident until the investigation of the extent of the breach was complete.
7. What should I do?
While this event did not involve any disclosure of your Social Security number or financial account details, the Children's Healthcare of Atlanta Foundation encourages everyone to be vigilant in monitoring for phishing or other social engineering campaigns from sources that may appear to be the Children's Healthcare of Atlanta Foundation. When donating to Children’s, please be sure that any web sites are authentic (give.choa.org or choa.org). Please do not hesitate to reach out if you have a question about the legitimacy of any communication you receive from a source that appears to be the Children's Healthcare of Atlanta Foundation.
While there is no evidence of misuse of the information involved in this event, the following are best practices to take as a result of any data security event:
Monitoring your financial statements carefully. If you see any unauthorized or suspicious activity, promptly contact your bank, credit union, or credit card company.
Monitoring your credit reports for suspicious or unauthorized activity. Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report:
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19106
P.O. Box 105069
Atlanta, GA 30348
Placing a fraud alert on your credit file. You have the right to place an initial or extended “fraud alert” on your file at no cost. An initial fraud alert is a 1-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. Contact the three major credit bureaus directly to place a fraud alert on your credit file.
Placing a security freeze on your credit file. A security freeze will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit. Pursuant to federal law, you cannot be charged to place or lift a security freeze on your credit report. Contact the three major credit bureaus directly to place a security freeze on your credit file.
Contacting the Federal Trade Commission and your state Attorney General to learn more about identity theft, fraud alerts, security freezes, and other steps you can take to protect yourself. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261.
Reporting incidents of suspected or actual identity theft or fraud to law enforcement, the Federal Trade Commission, and your state Attorney General.
8. Was law enforcement notified?
Yes, Blackbaud reports that they notified the FBI and are cooperating with the FBI’s investigation. They report that they are unable to share further details because the investigation is ongoing.
9. Is Credit Monitoring being offered?
Credit monitoring is not being offered as this event did not impact Social Security numbers. While there is no evidence of misuse of the information involved, credit monitoring would safeguard or monitor for misuse of the information impacted by this event.
Children’s Healthcare of Atlanta Foundation
3395 NE Expressway, Suite 100
Atlanta, GA 30341