In a significant development, Blackbaud, a provider of donor relationship management software, has reached a $49.5 million settlement with attorneys general from 49 states and the District of Columbia. This settlement comes following allegations of insufficient data security practices and a sluggish response to a ransomware attack that occurred in 2020, which resulted in the unauthorized access and theft of sensitive donor information, impacting approximately one-quarter of Blackbaud’s client base, including healthcare organizations. The resolution of this case follows a rigorous multistate investigation led by attorneys general from Indiana and Vermont.
The ransomware attack that shook Blackbaud took place on May 14, 2020. This cyberattack led to the unauthorized access and exfiltration of more than one million files, including highly sensitive data from approximately 13,000 clients. The stolen information encompassed donor particulars and other confidential data. Remarkably, Blackbaud became aware of the attack on the same day but only publicly disclosed the breach on July 16, 2020. Subsequently, affected clients promptly notified their donors regarding the breach and the theft of their personal information.
Insufficient Data Security Practices:
The core of the multistate investigation revolved around Blackbaud’s data security practices in the lead-up to the breach and its response once the breach was discovered. As a business associate of HIPAA-covered entities, Blackbaud was legally obligated to adhere to specific provisions of the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, the investigation uncovered severe deficiencies in Blackbaud’s security measures, highlighting the company’s failure to address known security vulnerabilities. These shortcomings ultimately facilitated unauthorized individuals’ access to Blackbaud’s network and the subsequent theft of sensitive customer and donor data.
The investigation into Blackbaud’s actions in the aftermath of the breach revealed numerous shortcomings. There were critical deficiencies in the company’s incident response plan, leading to delays in notifying affected customers. In some instances, customers were not informed at all, a clear violation of both HIPAA Rules and state consumer protection laws. The delayed and incomplete communication with customers significantly exacerbated the impact of the attack.
Source: Hipaa Journal
Featured News
Google and South Carolina Clash Over State Records Demand
May 8, 2024 by
CPI
Telefonica Germany Teams Up with Amazon Web Services to Migrate 5G Customers
May 8, 2024 by
CPI
Federal Judge Grants $7.4 Million Settlement in Pork Price-Fixing Case
May 8, 2024 by
CPI
Wilson Sonsini Bolsters Antitrust and Competition Practice with Key Partner Returns
May 8, 2024 by
CPI
EU to Scrutinize Telecom Italia’s Network Sale to KKR
May 8, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Economics of Criminal Antitrust
Apr 19, 2024 by
CPI
Navigating Economic Expert Work in Criminal Antitrust Litigation
Apr 19, 2024 by
CPI
The Increased Importance of Economics in Cartel Cases
Apr 19, 2024 by
CPI
A Law and Economics Analysis of the Antitrust Treatment of Physician Collective Price Agreements
Apr 19, 2024 by
CPI
Information Exchange In Criminal Antitrust Cases: How Economic Testimony Can Tip The Scales
Apr 19, 2024 by
CPI