The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Blackbaud Settles Multistate Data Breach Investigation for $49.5 Million

Posted By on Oct 5, 2023

A $49.5 million settlement has been reached between Blackbaud and 49 states and the District of Columbia to resolve allegations of insufficient data security practices and an inadequate response to its 2020 ransomware attack. Blackbaud is a Delaware corporation headquartered in Charleston, South Carolina, that provides donor relationship management software to a wide range of organizations, including healthcare providers, educational institutions, and religious and cultural organizations.

On May 14, 2020, Blackbaud experienced a ransomware attack that resulted in the exfiltration of sensitive donor information. While data encryption was prevented, more than one million files were stolen in the attack, which included data from around one-quarter of its clients (13,000), including many healthcare organizations. Blackbaud publicly disclosed the ransomware attack on July 16, 2020. The impacted clients then notified their donors about the theft of their information, however, it was not until late September that Blackbaud confirmed that financial information and Social Security numbers had been stolen. Previous statements issued in relation to the breach first said no financial information SSNs had been stolen, then the risk of financial information and SSNs being stolen was merely hypothetical. Blackbaud has previously settled an investigation by the Securities and Exchange Commission for $3 million.

The multistate investigation was led by the attorneys general in Indiana and Vermont and looked at the data security practices at Blackbaud prior to the data breach and its response when a security breach was detected.  As a business associate of HIPAA-covered entities, Blackbaud is required to comply with certain provisions of the Privacy, Security, and Breach Notification Rules of the Health Insurance Portability and Accountability Act (HIPAA). Those requirements include implementing and maintaining appropriate administrative, technical, and physical safeguards to ensure the confidentiality, integrity, and availability of any protected health information it is provided with. The investigation found those measures to be inadequate and Blackbaud had not remedied known security vulnerabilities. As a result of those failures, unauthorized individuals were able to gain access to its network and steal the sensitive data of its customers and their donors.

Blackbaud also failed to promptly, completely, or accurately inform its customers about the breach. Deficiencies in its incident response plan delayed the process of notifying the affected customers and, in some cases, those customers were not notified at all. The security and data breach notification failures were determined to have violated the HIPAA Rules and state consumer protection laws.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

“Nonprofits doing their great work rely and depend on vendors like Blackbaud to protect sensitive and private information,” Attorney General Rokita said. “This type of leak is unacceptable, and we fought back on behalf of Hoosiers.”

In addition to paying a financial penalty of $49.5 million, the settlement agreement requires Blackbaud to:

  • Implement and maintain a comprehensive information security program.
  • Implement and maintain a breach response plan to ensure an appropriate response to any future security incidents.
  • Establish breach notification provisions, which require Blackbaud to provide appropriate assistance to its customers and support its customer compliance with applicable notification requirements in the event of any future breach.
  • Implement information safeguards and controls, including total database encryption and dark web monitoring.
  • Implement network segmentation, patch management processes, intrusion detection solutions, firewalls, access controls, log and monitor system alerts for signs of unauthorized activity, and conduct penetration testing.
  • Report any security incidents to its CEO and the board.
  • Enhance employee training.
  • Earmark appropriate resources and support for cybersecurity.
  • Allow third-party assessments of its compliance with the settlement for seven years.
  • Refrain from misrepresenting details of its processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.

“Any company that collects Vermonters’ data has a responsibility to protect that data, and to ensure that affected consumers receive notice if that protection fails,” said Vermont Attorney General, Charity Clark. “Implementing good data security practices, such as data minimization, can protect not only consumers but also businesses that suffer a data breach.”

California was the only state not to participate in the action, as it is conducting its own investigation. In addition to a potential settlement with California, Blackbaud is facing a consolidated class action lawsuit over the data breach.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist