Blackbaud Agrees to $6.75 Million Data Breach Settlement with California
Blackbaud has agreed to pay $6.75 million to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and California’s data privacy laws that resulted in a massive data breach in 2020. Blackbaud provides data management software to nonprofit organizations that they use for their fundraising activities. The software stores sensitive information including names, Social Security numbers, bank account information, and medical information.
In May 2020, Blackbaud announced that hackers had gained access to internal systems. Initially, Blackbaud issued a statement claiming that consumers’ personal data was not accessed, only to later confirm that was not the case, and that consumer information had been compromised. The company then failed to issue timely notifications to the affected individuals.
The data breach was investigated by the California Department of Justice which confirmed that hackers had accessed internal systems and remained undetected for three months. The attack was possible due to Blackbaud’s failure to implement appropriate security measures and follow standard security practices. For instance, despite maintaining vast amounts of highly sensitive data, Blackbaud was not properly monitoring for suspicious activity within its systems, had not implemented multifactor authentication for accounts, and did not keep up to date on evolving security standards. Prior to the data breach, Blackbaud made deceptive statements about its security practices and then made misrepresentations about the data breach. Blackbaud was also storing data for longer than was necessary, including consumers’ data provided by clients that no longer used Blackbaud’s services.
On June 13, 2024, California Attorney General Rob Bonta announced that a settlement had been agreed with the South Carolina-based software company to resolve alleged violations of HIPAA and California’s consumer privacy and data protection. In addition to the financial penalty, Blackbaud is required to implement robust data security improvements to reduce the risk of further cyberattacks and data breaches. Those measures include tightening data security policies and procedures, including implementing network segmentation, monitoring systems containing personal data for suspicious activity, and configuring and acting in alerts when suspicious activity is detected.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Password security must be improved by either password confidentiality and password rotation, or an authentication protocol policy such as multifactor authentication, and a process must be established for ensuring that database backup files containing personal information are disposed of securely when they are no longer required, and any personal information stored is limited to the minimum necessary amount.
“Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable,” said Bonta. “Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents.”
The settlement with the California Attorney General is the latest in a series of actions against Blackbaud over its data breach, In September 2023, a $49.5 million settlement was agreed with 49 states and DC, a $3 million settlement was agreed with the Securities and Exchange Commission (SEC), and in May 2024, Blackbaud agreed to a settlement with the Federal Trade Commission that requires Blackbaud to delete all data that the company no longer requires to provide its products and services. Blackbaud was also sued by individuals affected by the data breach, and while a federal judge denied class certification, that is unlikely to signal the end of the litigation.
