Media statement: Data security incident and impact on Heart & Stroke constituents

(Toronto) — Heart & Stroke recently learned of a data security incident involving Blackbaud, one of our third-party service providers, and is encouraging any donors, volunteers, or members of the Heart & Stroke community to take extra precautions with their information.

What happened?

Heart & Stroke manages personal information related to our stakeholders for the purpose of volunteer and donor relations, communications and for historical record keeping through Blackbaud, one of the world’s largest software providers for non-profit organizations.

On Thursday, July 16, we were notified by Blackbaud that it had discovered and stopped a ransomware incident in May. This attack impacted many of Blackbaud’s clients around the world, including Heart & Stroke. While Blackbaud has informed us that Heart & Stroke was not specifically targeted, we want to provide you with the same information that Blackbaud has provided us.

What is the potential impact?

Data from the Heart & Stroke community that may have been affected includes contact information such as names, email addresses, telephone numbers and addresses. Blackbaud has assured us that data such as credit card numbers, usernames, and passwords were not compromised as these were encrypted. The cyber criminal’s ransom was paid and relevant data was destroyed, according to the update provided to us.

Blackbaud has informed us that there is no reason to conclude that the data related to the Heart & Stroke community will be misused, but we recommend that our constituents exercise additional caution. As the information affected is mainly contact information, the greatest risk would be from someone impersonating Heart & Stroke to solicit funds. Anyone who receives a suspicious email claiming to be us should report the incident to us immediately.

Blackbaud has carried out an internal investigation with the assistance of outside cybersecurity experts and law enforcement and is confident that the data was removed and has not been further used or disclosed. As an added precaution, their investigators are continuing to monitor for any usage of the data that was taken.

What action is Heart & Stroke taking?

We have reported the incident to relevant privacy commissioners and are seeking their advice on any additional safety protocols that we should consider. We are working with Blackbaud to enable multi-factor authentication to protect our records management system. Our call centre team has been updated on this matter and is available to answer questions from our constituents.

We value the trust of our community of donors, volunteers, and supporters, and regret the concern that this may have caused. We have emailed all the impacted constituents that we have up-to-date email addresses for, but encourage anyone with concerns to please contact us at 1-877-882-2582 or via email at

For more information

Teresa Roncon
Senior Manager, Communications
Heart & Stroke
416-489-7111, ext. 23060

About Heart & Stroke

Life. We don’t want you to miss it. That’s why Heart & Stroke leads the fight against heart disease and stroke. We must generate the next medical breakthroughs, so people in Canada don’t miss out on precious moments. Together, we are working to prevent disease, save lives and promote recovery through research, health promotion and public policy.