September 14, 2020
Joslin Diabetes Center (“Joslin”) is providing notice of a cyber incident that may affect the security of some information relating to certain individuals associated with Joslin, including donors and patients.
On July 16, 2020, Joslin received notification from Blackbaud Inc, (“Blackbaud”) of a cyber incident that it uncovered in May 2020. Blackbaud is a third-party vendor that Joslin uses for database assistance in donor relations and fundraising operations, and upon receiving this notice, Joslin immediately began an investigation to better understand what may have happened and any impact on Joslin’s data. Blackbaud reported that, in May 2020, two months before notifying Joslin, it discovered a ransomware incident that resulted in encryption of certain Blackbaud systems. Blackbaud reported the incident to law enforcement and worked with forensic investigators to determine the nature and scope of the incident. Blackbaud notified its customers, including Joslin, that a cybercriminal may have accessed or acquired certain Blackbaud customer data. Blackbaud reported that the data was potentially exported by the threat actor before Blackbaud locked the cybercriminal out of its environment on May 20, 2020. According to Blackbaud the data was destroyed and they do not believe that any data was or will be misused, disseminated or otherwise be made publicly available. Blackbaud further stated that this belief has been corroborated by outside experts and law enforcement.
Joslin has worked diligently to gather further information from Blackbaud to understand the incident. Joslin’s investigation determined that the involved Blackbaud systems may have contained names, dates of birth, treatment dates, treatment locations and physician names. Joslin has not received any information from Blackbaud that this information was specifically accessed or acquired by the cybercriminal and it is also important to note the Joslin data hosted by Blackbaud did not include any financial account information or Social Security numbers.
Joslin takes this incident very seriously, and as part of our ongoing commitment to the security of information we are reviewing our existing policies and procedures regarding our third-party vendors, and are working with Blackbaud to evaluate additional measures and safeguards to protect against this type of incident in the future. As a precaution, we are notifying individuals whose information may have been impacted by the Blackbaud incident so that they may take any further steps they feel are appropriate to best protect their information. Joslin also is notifying state and federal regulators, as required.
While we have no reason to believe there are any specific actions that individuals need to take in this situation, we encourage those potentially affected by the Blackbaud incident to review the below resource information that contains general information on what you can do to help protect personal information.
We understand that you may have questions about the Blackbaud incident and if you do please call our dedicated assistance line at 888-977-0627 between the hours of 9:00 AM to 6:30 PM Eastern Time, Monday through Friday (may exclude certain U.S. holidays).
You may also write to Joslin at:
Joslin Diabetes Center
One Joslin Place, Suite 401
Boston, MA 02215
Attention: Privacy Officer
In general, we encourage you to remain vigilant against incidents of identity theft and fraud, to review your account statements, and to monitor your credit reports for suspicious activity. Under U.S. law you are entitled to one free credit report annually from each of the three major credit reporting bureaus. To order your free credit report, visit www.annualcreditreport.com or call, toll-free, 1-877-322-8228. You may also contact the three major credit bureaus directly to request a free copy of your credit report.
The major consumer reporting are agencies listed below:
P.O. Box 9554
Allen, TX 75013
P.O. Box 2000
Chester, PA 19016
P.O. Box 105788
Atlanta, GA 30348-5788
You can further educate yourself regarding identity theft, fraud alerts, security freezes, and the steps you can take to protect yourself by contacting the consumer reporting agencies, the Federal Trade Commission, or your state Attorney General.
The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, DC 20580, www.identitytheft.gov, 1-877-ID-THEFT (1-877-438-4338); TTY: 1-866-653-4261. The Federal Trade Commission also encourages those who discover that their information has been misused to file a complaint with them. You can obtain further information on how to file such a complaint by way of the contact information listed above. You have the right to file a police report if you ever experience identity theft or fraud. Please note that in order to file a report with law enforcement for identity theft, you will likely need to provide some proof that you have been a victim. Instances of known or suspected identity theft should also be reported to law enforcement and your state Attorney General.
For Maryland residents, the Attorney General can be contacted at 200 St. Paul Place, 16th Floor, Baltimore, MD 21202, 1-410-528-8662; 1-888-743-0023; or www.oag.state.md.us.
For Rhode Island residents, the Rhode Island Attorney General may be reached at: 150 South Main Street, Providence, Rhode Island 02903; www.riag.ri.gov; or 1-401-274-4400. Under Rhode Island law, you have the right to obtain any police report filed in regard to this incident. There are approximately 1,453 Rhode Island residents whose information may have been present in the relevant emails.
For Washington, D.C. residents, the Office of Attorney General for the District of Columbia can be reached at: 441 4th Street NW, Suite 1100 South, Washington, D.C. 20001; 1-202-442-9828; https://oag.dc.gov.