In a significant development, Blackbaud, a provider of donor relationship management software, has reached a $49.5 million settlement with attorneys general from 49 states and the District of Columbia. This settlement comes following allegations of insufficient data security practices and a sluggish response to a ransomware attack that occurred in 2020, which resulted in the unauthorized access and theft of sensitive donor information, impacting approximately one-quarter of Blackbaud’s client base, including healthcare organizations. The resolution of this case follows a rigorous multistate investigation led by attorneys general from Indiana and Vermont.
The ransomware attack that shook Blackbaud took place on May 14, 2020. This cyberattack led to the unauthorized access and exfiltration of more than one million files, including highly sensitive data from approximately 13,000 clients. The stolen information encompassed donor particulars and other confidential data. Remarkably, Blackbaud became aware of the attack on the same day but only publicly disclosed the breach on July 16, 2020. Subsequently, affected clients promptly notified their donors regarding the breach and the theft of their personal information.
Insufficient Data Security Practices:
The core of the multistate investigation revolved around Blackbaud’s data security practices in the lead-up to the breach and its response once the breach was discovered. As a business associate of HIPAA-covered entities, Blackbaud was legally obligated to adhere to specific provisions of the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, the investigation uncovered severe deficiencies in Blackbaud’s security measures, highlighting the company’s failure to address known security vulnerabilities. These shortcomings ultimately facilitated unauthorized individuals’ access to Blackbaud’s network and the subsequent theft of sensitive customer and donor data.
The investigation into Blackbaud’s actions in the aftermath of the breach revealed numerous shortcomings. There were critical deficiencies in the company’s incident response plan, leading to delays in notifying affected customers. In some instances, customers were not informed at all, a clear violation of both HIPAA Rules and state consumer protection laws. The delayed and incomplete communication with customers significantly exacerbated the impact of the attack.
Source: Hipaa Journal
Featured News
Clifford Chance Expands Global Antitrust Team with New Partner
Dec 6, 2024 by
CPI
Spain’s Financial Regulator Awaits Antitrust Decision on BBVA’s Hostile Bid for Sabadell
Dec 5, 2024 by
CPI
RealPage Seeks Dismissal of DOJ Antitrust Suit, Citing Legal Flaws
Dec 5, 2024 by
CPI
EU Competition Chief Signals Potential Google Breakup Amid Big Tech Scrutiny
Dec 5, 2024 by
CPI
Turkey Closes Antitrust Probe into Meta’s Threads-Instagram Practices
Dec 5, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Moats & Entrenchment
Nov 29, 2024 by
CPI
Assessing the Potential for Antitrust Moats and Trenches in the Generative AI Industry
Nov 29, 2024 by
Allison Holt, Sushrut Jain & Ashley Zhou
How SEP Hold-up Can Lead to Entrenchment
Nov 29, 2024 by
Jay Jurata, Elena Kamenir & Christie Boyden
The Role of Moats in Unlocking Economic Growth
Nov 29, 2024 by
CPI
Overcoming Moats and Entrenchment: Disruptive Innovation in Generative AI May Be More Successful than Regulation
Nov 29, 2024 by
Simon Chisholm & Charlie Whitehead