In a significant development, Blackbaud, a provider of donor relationship management software, has reached a $49.5 million settlement with attorneys general from 50 states. This settlement comes following allegations of insufficient data security practices and a sluggish response to a ransomware attack that occurred in 2020, which resulted in the unauthorized access and theft of sensitive donor information, impacting approximately one-quarter of Blackbaud’s client base, including healthcare organizations. The resolution of this case follows a rigorous multistate investigation led by attorneys general from Indiana and Vermont.
The ransomware attack that shook Blackbaud took place on May 14, 2020. This cyberattack led to the unauthorized access and exfiltration of more than one million files, including highly sensitive data from approximately 13,000 clients. The stolen information encompassed donor particulars and other confidential data. Remarkably, Blackbaud became aware of the attack on the same day but only publicly disclosed the breach on July 16, 2020. Subsequently, affected clients promptly notified their donors regarding the breach and the theft of their personal information.
Insufficient Data Security Practices:
The core of the multistate investigation revolved around Blackbaud’s data security practices in the lead-up to the breach and its response once the breach was discovered. As a business associate of HIPAA-covered entities, Blackbaud was legally obligated to adhere to specific provisions of the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, the investigation uncovered severe deficiencies in Blackbaud’s security measures, highlighting the company’s failure to address known security vulnerabilities. These shortcomings ultimately facilitated unauthorized individuals’ access to Blackbaud’s network and the subsequent theft of sensitive customer and donor data.
The investigation into Blackbaud’s actions in the aftermath of the breach revealed numerous shortcomings. There were critical deficiencies in the company’s incident response plan, leading to delays in notifying affected customers. In some instances, customers were not informed at all, a clear violation of both HIPAA Rules and state consumer protection laws. The delayed and incomplete communication with customers significantly exacerbated the impact of the attack.
Source: Hipaa Journal