A third-party vendor named Blackbaud, which helps RWJBarnabas Health and its hospital foundations manage our database of donors, informed us of a criminal cyberattack that resulted in unauthorized access to certain information. Upon learning of this incident, we worked with RWJBarnabas’s information technology team and external experts to review Blackbaud’s notification and determine what, if any, data may have been affected. Please know that we take this incident and the safeguarding of the security of our donors’ and patients’ information very seriously.
RWJBarnabas Health is an integrated health care system in New Jersey that includes 11 hospitals, children’s hospitals, pharmacies, and various community-based locations. You may be familiar with the names of some of our facilities. A full list is available on our website at www.rwjbh.org and includes the following hospitals:
– Clara Maass Medical Center
– Community Medical Center
– Jersey City Medical Center
– Monmouth Medical Center
– Monmouth Medical Center Southern Campus
– Newark Beth Israel Medical Center
– Robert Wood Johnson University Hospital
– Robert Wood Johnson University Hospital- Hamilton
– Robert Wood Johnson University Hospital- Rahway
– Robert Wood Johnson University Hospital-Somerset
– Saint Barnabas Medical Center
Blackbaud is a software and service provider for more than 25,000 nonprofit organizations, foundations (e.g., RWJBarnabas’ Foundations) around the world.
Blackbaud reports that it discovered and stopped the ransomware attack in May 2020. RWJBarnabas Health was notified in mid-July. Upon learning of the incident RWJBarnabas Health began an extensive investigation.
The RWJBarnabas Health Foundation uses Blackbaud to manage and track donor and potential donor relations.
Blackbaud advised all of its customers that NO credit card or banking information was included in the impacted files, and that NO Social Security numbers were accessible to the cybercriminal.
According to the company, the cybercriminal did access some contact information like names and addresses. If a record had a Medical Record Number (MRN) or indicated area of giving, this information would be of no value and could not be used for identity theft. An MRN number for example has no meaning without access to our other unaffected systems which are hosted on completely different systems.
Blackbaud has told us that based on the company’s own research, as well as investigation by law enforcement and other parties, the company has no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly.
RWJBarnabas Health uses Blackbaud products to manage communications, events, some email updates, and other activities that may involve individuals who are not donors or patients.
Similar to other healthcare organizations that use Blackbaud, we share limited data, as permitted by law, including the Health Insurance Portability and Accountability Act about patients who we believe may want to support our healthcare mission after they receive care at one of our Medical Centers.
If you prefer that we not contact you regarding any further fundraising efforts as a result of this data security incident, please send us an email with your request at Blackbaud@rwjbh.org. The subject line of the email should read “Opt-Out of Fundraising Mailing List”. We ask that you include your full name, mailing address and phone number in the body of the email in order for us to process your opt-out request.
The identifiers at issue in this case cannot be used for identity theft, so credit monitoring is not typically provided in such circumstances.
As part of ongoing efforts, Blackbaud has already implemented several changes to protect your data from any subsequent incidents. Its teams identified the vulnerability associated with this incident and took action to fix it. Blackbaud has tested its fix with multiple third parties, including the appropriate platform vendors, and assured RWJBarnabas that the fix withstands all known cyberattack tactics. RWJBarnabas will continue to monitor Blackbaud to ensure your information is secure.
There is no need to take any specific action at this time. However, as a best practice, we recommend that you remain vigilant and promptly report any suspicious activity to the proper law enforcement authorities. If you have additional questions please call (855) 873-7643 Monday through Friday from 6 a.m. to 8 p.m. PST and Saturday/Sunday from 8 a.m. to 5 p.m. PST.
Our Commitment to You
While data breaches and ransomware attacks are becoming more common, this is not something that RWJBarnabas ever wants to happen to our valued patients and supporters. RWJBarnabas takes your privacy very seriously. We will continue to work with Blackbaud, and other authorities to look further into and monitor this incident. We sincerely apologize that this occurred through one of our third-party vendors and regret any inconvenience it may cause you.