Notice of Vendor Data Security Incident to Our Patients and Donors

Community Medical Centers is committed to protecting the privacy of patients and donors, and the security of their information. Regrettably, we have learned that it is one of hundreds of hospitals, healthcare systems, and other nonprofit organizations, including several in California, to be affected by a security event at Blackbaud, the company that hosts our fundraising databases and Terry's House resident database. 
 
Blackbaud is a vendor that provides Community with cloud-based, data solution services related to our donors and fundraising Foundation and for Terry's House, our temporary residence for families who, due to their family member's illness, are away from home for an extended period of time. Community maintains its electronic health record separate from the Foundation and Terry's House.
 
What Happened?
On July 16, 2020, one of our third-party vendors, Blackbaud, informed us that an unauthorized individual, whose identity remains unknown, gained access to Blackbaud’s systems between February 7 and May 20, 2020. Blackbaud advised us that the individual may have acquired a backup of certain donor and prospect information and Terry's House resident information, which sometimes included protected health information of our patients, including those patients associated with Terry's House residents, belonging to our hospitals and Blackbaud’s many other clients, including other hospitals.

Importantly, all Social Security numbers, bank account information and credit card numbers were encrypted—and therefore not accessed. Also, the security incident did not involve access to any of our medical systems or our electronic health records.

But based on the information from Blackbaud, we believe that other confidential information could have been accessed. This might include: patient names, addresses, phone numbers, email addresses, dates of birth, patient complaint and diagnosis information, room numbers, patient identification numbers and/or medical record numbers, the name of the hospital where the patient was treated, and the applicable hospital department or unit. Please read Blackbaud’s statement about the incident: https://www.blackbaud.com/securityincident

What We Are Doing
We are taking this matter very seriously. We immediately took steps to understand the extent of the incident and the data involved.  We will mail letters to all affected patients once our investigation is complete. We also have a dedicated call line for anyone with questions about this incident, at 866- 968-0157.  This line is open Monday through Friday, from 6 a.m. to 3:30 p.m.   
 
To help prevent any future security incidents, we are reviewing our relationship with Blackbaud and the specific security improvements that Blackbaud has now taken in response to this incident.

What You Can Do
We regret any concern or inconvenience this incident may cause you. We recommend you carefully review the bills you receive from your healthcare providers. If you see services you suspect you did not receive, please contact the provider immediately.
 
Our Commitment To You
While data security incidents and ransomware attacks are unfortunately becoming more common, this is not something Community ever wants to happen to our valued supporters. Your privacy is of utmost importance to us. We will continue to work with Blackbaud and authorities to investigate this incident, and very much regret the inconvenience that this security incident may have caused. Please be assured that we take data protection very seriously and are grateful for the continued support of our vital mission to deliver world-class care to everyone in the Central Valley.