Blackbaud Security Incident

Stony Brook Patient Notification: Notice of Blackbaud Security Incident

Stony Brook recently learned about a data security incident involving one of our vendors, Blackbaud. Blackbaud is a communications and fundraising software provider for nonprofits, universities, healthcare organizations, foundations and other entities worldwide.

On July 17, 2020, Stony Brook received notice that patient information may have been involved in a security incident on Blackbaud’s systems. Blackbaud detected a ransomware attack on its systems in May 2020. Although Blackbaud was able to contain the attack, some information may have been removed from Blackbaud’s systems during this incident. After Blackbaud provided notice, Stony Brook worked diligently to identify who may have been affected and to alert those individuals whose data may have been present on Blackbaud’s affected systems.

The information that was on the Blackbaud systems affected by this cyberattack may have included your name, date of birth, address/contact information, attending doctor, insurance provider and medical service department. Stony Brook did not provide your Social Security number, bank account information or credit card number to Blackbaud, and so these types of information were not in Stony Brook’s files on the potentially affected systems. Also, this incident did not involve access to any Stony Brook systems, including medical systems or electronic health records.

Blackbaud worked with law enforcement and security experts to respond to the attack and reported that the stolen data was destroyed and not used, sold or distributed. A full description of the incident and Blackbaud’s response is available at Blackbaud’s incident site,

Stony Brook will individually notify potentially impacted patients for whom it has a valid mailing address. Impacted patients are advised to regularly monitor any statements that they receive from their health plans or healthcare providers, to check for any unfamiliar healthcare services. If patients notice any healthcare services that they did not receive listed on one of these statements, they should contact their health plan or the provider.

Based on statements from Blackbaud, we have no reason to believe that the information involved in this incident has been misused. We take our responsibility to safeguard patients’ personal information seriously and remain committed to protecting patient privacy and security. We are evaluating additional security measures and continuing to conduct appropriate oversight of our vendors to help ensure this does not happen in the future. Patients with questions about this situation should contact the dedicated assistance line at 888-604-0249 from 8 am to 5:30 pm Central Time, Monday through Friday, excluding major U.S. holidays.