Frequently Asked Questions About Blackbaud
The University of Kansas Health System is proud of the trust and support our friends, donors and grateful patients show us. We are committed to transparency, honesty and protection of the information that we maintain. We recently learned of a global data security incident at Blackbaud, the vendor that provides data hosting services globally for hundreds of hospitals, universities and nonprofits. We use Blackbaud-hosted services for our fund development and donor relations activities, and we are one of many not-for-profits affected by this incident worldwide.
We assure you that we take the protection of donor information very seriously. This cyberattack is concerning to us. We sincerely apologize for Blackbaud’s system data breach and regret any inconvenience it may cause you. For more information, please review the frequently asked questions below.
Blackbaud is one of the largest providers of database services used by not-for-profit organizations (including many hospitals and health systems), with more than 45,000 clients in 100+ countries. The company is considered a best-in-class software provider, and we have contracted with Blackbaud for donor relationship management services. The system is used to record our engagement with members of our community.
Blackbaud discovered and stopped a ransomware attack involving many of its clients, including The University of Kansas Health System. After discovering the attack, Blackbaud’s cybersecurity team, together with independent forensics experts and law enforcement (including the FBI), blocked the cybercriminals from doing additional damage. The cybercriminals, however, successfully removed a backup copy of the files containing some personal information of our donors. Blackbaud paid the cybercriminal a ransom to ensure the backup file was permanently destroyed. This breach occurred no earlier than February 7, 2020, with the cybercriminals possibly accessing data intermittently until May 20, 2020. For more information about Blackbaud’s response, please visit blackbaud.com/securityincident.
The files accessed contained the following data fields, but this data was not obtained for every person in the database:
- Demographic data such as a name
- Addresses and contact details such as phone, email and LinkedIn profile URL
- Records of engagement and fundraising activities including event participation, volunteer service, donations and any other interactions
- Information about interests, if provided
No. We do not store bank account or Social Security information with Blackbaud. If you have made a credit card or ACH transaction with us, the payment processing vendor, authorize.net, stores that information for a period of time before the data is deleted. If you have authorized a recurring payment, the information is securely stored for the period of that commitment.
No. Because we do not collect data elements needed for identity theft and financial information is not stored by Blackbaud, this incident will not elevate your risk of becoming a victim of identity theft. We do advise, however, that our constituents follow best practices in protecting their identity, such as monitoring of the annual free credit report at annualcreditreport.com.