U.S. District Court Judge Joseph Anderson denied certification of the class action against Blackbaud because the plaintiffs failed to demonstrate an administratively feasible way to ascertain class membership.
What happened
On May 21, 2024, U.S. District Court Judge Joseph Anderson denied class certification in a consolidated class action lawsuit against Blackbaud. The lawsuit arose from a ransomware attack and data breach that compromised the data of approximately 1.5 billion individuals. Plaintiffs in the case sought to certify several nationwide negligence and gross negligence classes under Massachusetts law, along with four subclasses for residents of California, New York, and Florida.
Judge Anderson denied the certification because the plaintiffs failed to prove ascertainability, which ensures that class members can be identified using clear and objective criteria. Specifically, the judge found that the plaintiffs did not demonstrate an administratively feasible way to determine class membership without extensive, individualized fact-finding. This lack of ascertainability made it impractical to manage the proposed classes and subclasses, leading to the denial of class certification.
See also: Atlanta Women's Health Group faces data breach class action lawsuit
The backstory
In February 2020, a hacker exploited security weaknesses to infiltrate Blackbaud's networks, a provider of financial, fundraising, and administration software to various organizations. The hacker remained undetected for three months, using compromised credentials to access Blackbaud’s remote desktop environment and move laterally to the company’s data centers in Massachusetts.
During this period, more than 13,000 of Blackbaud’s clients were affected, and an estimated 1.5 billion patients, donors, and other individuals had their sensitive data stolen. The hackers claimed to have exfiltrated over 400 terabytes of data and demanded a ransom, which Blackbaud paid in 24 bitcoins, but without obtaining proof of data deletion. The breach was detected on May 20, 2024, prompting multiple class action lawsuits that were eventually consolidated.
The lawsuit alleged Blackbaud's failure to implement adequate security measures and its negligent and misleading response to the breach. Investigations by the Federal Trade Commission (FTC) and the Securities and Exchange Commission (SEC) found similar failings.
See also: Blackbaud FTC settlement finalized
What was said
The class certification court document stated: “In sum, none of the methods Plaintiffs have proposed for ascertaining a class are administratively feasible on their face. Further, none of Plaintiffs’ proposed methods have eliminated the need for this Court, Defendant, or some other party to make tens of millions of individualized inquiries in order to determine whether a given individual satisfies Plaintiffs’ proposed class and sub-class definitions.”
See also: HIPAA Compliant Email: The Definitive Guide
FAQs
What is a class action?
A class action is a lawsuit where a group of people with similar claims collectively bring a case against a defendant.
What did Blackbaud do wrong?
Blackbaud failed to implement adequate cybersecurity measures and misrepresented the extent and impact of a ransomware attack that compromised sensitive data.
Why did the FTC have to investigate?
The FTC had to investigate Blackbaud due to potential violations of the FTC Act, including inadequate security practices and misleading statements about the data breach.
Kirsten Peremore
