Cloud Service Provider ‘Blackbaud’ Leaks Breast Cancer Data

• ‘Living Beyond Breast Cancer’ is sending notices of a data breach to its members.
• The entity that lost the data to hackers was actually the cloud service provider ‘Blackbaud.’
• The affected people are now running the risk of scamming, phishing, and social engineering.

The American nonprofit organization ‘Living Beyond Breast Cancer’ (LBBC) is sending notices of a data breach to its members to alert them of a possible compromise of their sensitive data. According to the letters that have been published by the data protection authorities, the breach happened on Blackbaud’s systems, which apparently suffered a ransomware attack. Blackbaud is a cloud services provider that covers the needs of schools, hospitals, and many nonprofit organizations like LBBC.

Blackbaud informed LBBC of the incident and told them that the hackers stole a backup file that contained people’s names and the accompanying breast cancer diagnosis. The software firm claims that the backup file stolen by the unauthorized individual has been destroyed, which is a weird statement to make. Maybe they meant to say that they were convinced to pay the ransom, thinking that the hacker would truly delete the stolen copies.

While the typical assurances of having no reason to believe that the data has been misused or further disseminated are included in the notice, this is unlikely to be the case. Thus, if you have participated in an LBBC program in the past and shared your personal details with the organization, consider yourself compromised.

Related: Pharmaceutical Company “Pfizer” Leaked Private Client Data

This means that crooks could now launch scamming, phishing, and social engineering attacks against you. Do keep that in mind and treat all incoming communications with extra caution. If you need more information about how this incident affects you specifically, go ahead and contact the organization at 855-807-6386 or by sending an email to inquiries@lbbc.org.

LBBC is also urging the recipients of the breach notice to review their account statements and take any possible action to protect against identity theft, fraud. Instructions on how to do this are enclosed in the letter, but it would be nice to see the organization take the extra step to offer at least a couple of months of monitoring services.

We understand that for nonprofit organizations, covering the cost of such a program and especially in response to an event that’s wasn’t due to their fault or negligence is hard, but still. Data breaches are always bad, but when they involve highly-sensitive information, they’re many times worse.