HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Rady Children’s Hospital Facing Class Action Lawsuit over Blackbaud Ransomware Attack

In May 2020, the cloud software company Blackbaud suffered a ransomware attack. As is common in human operated ransomware attacks, data was exfiltrated prior to file encryption. Some of the stolen data included the fundraising databases of its healthcare clients.

One of the affected healthcare providers was Rady Children’s Hospital-San Diego, the largest children’s hospital in California in terms of admissions. A class action lawsuit has been proposed that alleges Rady was negligent for failing to protect the sensitive information of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.

The lawsuit alleges Rady failed to implement adequate security measures and failed to ensure Blackbaud had adequate security measures in place to protect ePHI and ensure it remained private and confidential. The lawsuit alleges individuals affected by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.

Blackbaud discovered the ransomware attack in May 2020. The company’s investigation revealed the hackers had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the hackers were expelled from the network as soon as the breach was discovered but had discovered a subset of client data had been obtained by the attackers.

Please see the HIPAA Journal Privacy Policy

3 Steps To HIPAA Compliance

Please see HIPAA Journal
privacy policy

  • Step 1 : Download Checklist.
  • Step 2 : Review Your Business.
  • Step 3 : Get Compliant!

The HIPAA Journal compliance checklist provides the top priorities for your organization to become fully HIPAA compliant.

Blackbaud took the decision to pay the ransom to ensure the stolen data was deleted. Assurances were received from the attackers that the data had been permanently destroyed. In its breach notification letters, Rady explained that the types of information potentially obtained by the hackers included patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.

The lawsuit alleges Rady cannot reasonably maintain that the hackers destroyed the plaintiffs’ personal information. According to the complaint, “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also alleges neither Rady nor Blackbaud are aware how the hackers exfiltrated data, and whether it was transmitted in a secure manner and could not have been intercepted by other individuals.

According to the lawsuit, Rady had the necessary resources to protect patient data but neglected to implement appropriate security. The plaintiffs seek compensation, long -term protection against identity theft and fraud, and a court order to enforce changes to Rady’s security policies to ensure breaches such as this, and several others cited in the report, do not happen again.

Blackbaud is also facing multiple class action lawsuits over the breach. At least 23 putative class action lawsuits have filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been filed in 17 federal courts, 4 state courts, and 2 Canadian courts.  Each alleges victims of the breach have suffered harm as a result of the theft of their personal data.

Blackbaud also said more than 160 claims have been received from its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being investigated by government agencies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.