In early October, Blackbaud agreed to settle a $49.5 million lawsuit brought forth by the attorneys general of 49 states and Washington, DC.
What happened
The settlement is related to a 2020 data breach that exposed sensitive information from approximately 13,000 nonprofits, including charities, K-12 schools, healthcare organizations, religious organizations, and others.
Blackbaud, an organization offering fundraising and data management software, acknowledged the breach on July 16th, 2020.
In a Department of Justice Press Release, Delaware, one of the affected states, noted that Blackbaud significantly downplayed the extent of the breach, resulting in many users receiving delayed breach notifications and others never receiving notice.
According to AP News, an investigation revealed that health information, Social Security numbers, and financial information were leaked in the breach. It’s estimated that over a million files were exposed.
Blackbaud agreed to pay a ransom in exchange for the attacker deleting the data.
What’s new
The settlement is in response to allegations from attorneys general that Blackbaud violated various laws, including consumer protection laws, breach notification laws, and HIPAA. The lawsuit alleged, according to AP News, that Blackbaud failed to “implement reasonable data security and remediate known security gaps.”
The allegation also accuses Blackbaud of failing to notify affected individuals promptly.
Under the terms of the settlement, Blackbaud has not admitted any wrongdoing. The company plans to pay the $49.5 million settlement in full this month.
Going deeper
As part of the settlement, Blackbaud has agreed to strengthen its security measures and improve its data breach notification procedures. These practices include:
- Prohibition against misrepresentation related to personal information and following breach notification laws required by the state and HIPAA.
- Implementation and maintenance of response plans to prepare for any future breaches.
- Breach notification requirements that ensure Blackbaud provides customer support.
- Reporting requirements to ensure the CEO and Board are aware of cybersecurity incidents.
- Personal information safeguards.
- And more.
By following these guidelines, each state’s attorney general hopes to ensure that Blackbaud can responsibly and proactively respond to cyberattacks.
Outside of this incident, Blackbaud also faced a lawsuit from the U.S. Securities and Exchange Commission (SEC) in March. According to that lawsuit, Blackbaud misled investors about the information that was stolen, claiming that bank information and Social Security numbers were not accessed. Since then, employees discovered that sensitive information had indeed been breached.
In the case against SEC, Blackbaud agreed to settle for $3.6 million.
The big picture
Blackbaud will be reassessed in seven years to ensure they remain compliant with all settlement requirements. As the settlement money is released, Indiana can expect to receive $3.6 million, the most out of any state involved. Other states can expect to receive anywhere from several hundred thousand dollars to several million.
As companies assess Blackbaud’s situation, it’s wise to consider all reporting and notification requirements. By following these requirements, healthcare organizations can prevent lawsuits and ensure patients can adequately respond to data leaks.
Read more: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
