Share this article on:
The number of victims reporting being impacted by the Blackbaud ransomware attack and data breach has continued to grow over the past few weeks, with the Department of Health and Human Services’ Office for Civil Rights breach portal continuing to list healthcare victims. Recent additions include Moffitt Cancer Center, OSF HealthCare System, and Geisinger, with those three entities reporting the incident as affecting a total of 276,600 individuals.
While the total number of victims has not been disclosed by Blackbaud, at least 250 healthcare organizations, non-profits, and educational institutions are known to have been impacted, with healthcare organizations reporting the breach as affecting more than 10 million individuals.
Unsurprisingly given the breach costs incurred by organizations and the number of individuals whose personal information has been exposed, Blackbaud is facing many class action lawsuits. At least 23 proposed class action lawsuits have been filed so far in the United States and Canada, according to its 2020 Q3 Quarterly Report filed with the U.S. Securities and Exchange Commission (SEC). 17 of those lawsuits were filed in federal court in the United States, 4 in state courts, and 2 in Canadian courts.
The lawsuits allege victims have suffered harm as a result of the breach and allege violations of several laws, with the lawsuits seeking damages, injunctive relief, and attorneys’ fees, and around 160 claims have been received from Blackbaud’s customers in the U.S, Canada, and United Kingdom.
In addition to the lawsuits, Blackbaud is being investigated by regulators over violations of data privacy laws, including the Department of Health and Human Services, the Federal Trade Commission, and internationally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. A joint investigation has also been launched by 43 state attorneys general and the District of Columbia.
According the SEC filing, Blackbaud has already incurred costs in excess of $3.2 million dealing with the cyberattack between July and September 2020, and $3.6 million in costs over the previous 9 months. That figure is offset by $2.9 million accrued in insurance recoveries between July and September.
Costs will continue to be accrued in the response to the breach and while those costs are likely to be considerable, Blackbaud expects its cyber insurance policies to cover the bulk of the costs of the breach.
“We have good insurance in place – our insurers are working with us very closely. The key there is coordinating with them and make sure we’re clear on what they’re covering or not going to cover,” said Blackbaud’s chief financial officer Anthony Boor in an October 30, 2020 call with financial analysts.
While the cyber insurance policies have already covered some of the costs, there is no guarantee that all costs will be covered by those policies. “Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial,” explained Boor. “As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements.”
In the call with financial analysts, Blackbaud explained that the forensic investigation revealed exactly how the hackers succeeded in gaining access to its systems. The flaw exploited in the attack was present in one of its early generation products which has since been fixed and steps have already been taken to harden security. Blackbaud also explained that millions of dollars had been invested in cybersecurity and personnel prior to the breach in preparation for such an attack.
Blackbaud managed to contain the attack but was not able to prevent the exfiltration of some customer data. The ransom was paid to prevent publication of the data and Blackbaud believes the payment has prevented any further disclosures of data.
“We have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” explained Blackbaud in the SEC filing.