Judge Denies Class Certification in Blackbaud Lawsuit
A federal judge has denied class certification in a consolidated class action lawsuit against Blackbaud over its 2020 ransomware attack and data breach as the plaintiffs failed to meet their burden of proof for ascertainability. Blackbaud is a provider of financial, fundraising, and administration software to companies, educational institutions, and non-profits. In February 2020, a hacker exploited security weaknesses and gained access to Blackbaud’s networks, and remained undetected for 3 months. Compromised credentials provided the hacker with access to Blackbaud’s remote desktop environment, from where they moved laterally to the company’s data centers in Massachusetts. The breach was detected by Blackbaud on May 20, 2024.
During those three months, a vast amount of data was exfiltrated from Blackbaud’s network. More than 13,000 of Blackbaud’s clients were affected and an estimated 1.5 billion patients, donors, and other individuals had their sensitive data stolen. The hackers claimed to have exfiltrated more than 400 terabytes of data and issued a ransom demand, payment of which was required to have the data deleted. Blackbaud paid a 24-bitcoin ransom; however, Blackbaud did not obtain any proof that the data had been deleted.
More than a dozen class action lawsuits were filed against Blackbaud by individuals whose data was stolen in the attack. Since the lawsuits made similar allegations and were based on the same facts, the lawsuits were consolidated into a single lawsuit. The lawsuit alleged that Blackbaud failed to implement reasonable and appropriate security measures and that its response to the breach was negligent and misleading. The Federal Trade Commission (FTC) investigated the breach and came to similar conclusions, alleging violations of the FTC Act for failing to implement appropriate security measures, the retention of data when there was no business purpose for keeping the data, and for making misleading statements about the extent of the breach. Blackbaud was also investigated by the Securities and Exchange Commission (SEC) and agreed to a $3 million settlement to resolve allegations it made misleading statements about the breach.
The lawsuit proposed several classes, including nationwide negligence and gross negligence classes under Massachusetts law covering all natural persons in the United States whose data was stolen from Blackbaud, plus four subclasses for residents of California, New York, and Florida. While it is not a statutory prerequisite to class certification, some courts require plaintiffs to establish ascertainability at the class certification stage.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Ascertainability means that members of a certified class must be sufficiently definite and must be easily ascertained or determined using objective criteria, which is important to ensure manageability and fairness in class action proceedings. U.S. District Court Judge Joseph Anderson denied certification because the plaintiffs failed to demonstrate the proposed classes and subclasses were ascertainable. According to Anderson, the plaintiffs failed to show that there was an administratively feasible way for the court to determine if a particular individual was a member of a class without extensive, individualized fact-finding.
