Kusserow on Compliance: Inova Health System another victim of ransomware attack

Inova Health System is the latest of a dozen health systems affected by a ransomware attack at a third-party software vendor. The Virginia-based health system issued a notice on September 9, 2002 notifying up to 1,045,270 patients and donors, according to a notification Inova submitted to the HHS Office for Civil Rights (OCR). The incident is traced back to Blackbaud Inc., a third-party service vendor used for fundraising and alumni or donor engagement efforts at non-profits and universities. Inova’s notice stated that it was notified by Blackbaud of a ransomware attack which it had discovered and stopped in May 2020.

The attack involved intermittently removing data from the Blackbaud system, which included certain information maintained for Inova. Investigation by Inova found that the personal information affected by the attack may have contained certain personal information of some patients and donors, including: full names, addresses, dates of birth, phone numbers, provider names, dates of service, hospital departments, and/or philanthropic giving history such as donation dates and amounts. The notice also stated there is no evidence that the data will be misused, disseminated or made publicly available and Inova was assured that all compromised data was destroyed and the vulnerability that allowed the incident was closed. The incident did not expose Social Security numbers, financial account information, payment card information, or electronic health records. Blackbaud reportedly prevented the cybercriminals from blocking its system access and fully encrypting its files, however the criminals were able to remove a copy of a subset of data. Blackbaud also reported paying a ransom so that the attackers would destroy their backup file of stolen information.


Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2020 Strategic Management Services, LLC. Published with permission.