NYU Winthrop Hospital Notifies Patients of Potential Breach of Information
Earlier this year, NYU Winthrop Hospital, as part of NYU Langone Hospitals, announced that between the months of February to May 2020, an incident occurred involving one of its vendors, Blackbaud, resulting in a potential breach of information relating to the hospital’s database of potential donors and supporters of fundraising. Following a detailed investigation, it was later determined (on September 22, 2020) that that the database also contained NYU Winthrop patient information, potentially including patient names, addresses, dates of birth, dates of service at NYU Winthrop, and provider name and provider department. The hospital is currently mailing out letters to notify those potentially impacted patients. Of note, patient financial information and Social Security numbers were not included and therefore are not at risk.
In addition to NYU Winthrop mailing out letters to individuals whose information was contained in the database, NYU Winthrop has also established a dedicated call center to answer any questions its patients may have, which can be reached toll free at 833-791-1657, Monday through Friday, 9:00AM to 9:00PM Eastern Standard Time. If a patient receives communication or fundraising solicitation from NYU Winthrop and would like to confirm its validity, the patient should reach out to NYU Winthrop for verification.
About Blackbaud and Incident
Blackbaud is a vendor that provides NYU Winthrop Hospital and other not-for-profit organizations with cloud-based and data solution services related to potential donors and individuals who support its fundraising. Earlier this year, Blackbaud informed NYU Winthrop that it had discovered that an unauthorized individual had gained access to Blackbaud’s systems between February 7, 2020 and May 20, 2020. Blackbaud advised that the unauthorized individual may have acquired a backup of the database that managed NYU Winthrop’s donor information and that Blackbaud paid to have the unauthorized individual return the data and agree to no dissemination. NYU Winthrop took steps to understand the extent of the incident, the data involved, and conducted an exhaustive investigation. Importantly, this incident did not involve any Social Security numbers or financial information and did not involve any direct access to NYU Winthrop’s systems.
NYU Winthrop has taken several steps to help prevent something like this from happening again, including shutting down Blackbaud’s access to information and prioritizing the migration of information from Blackbaud to on-premise storage.