Dinsmore & Shohl LLP
  October 12, 2023 - Louisville, Kentucky

Blackbaud Reaches $49.5 Million Multistate Settlement Over Data Breach
  by Jennifer Orr Mitchell, Kurt R. Hunt, Jared M. Bruce

Last week, 49 state attorneys general announced a $49.5 million settlement with Blackbaud, Inc.  (Blackbaud) over the software company’s data-security practices and its response to a breach in 2020 that exposed the personal information of millions of individuals.

Blackbaud provides software solutions to nonprofit organizations, including charities, schools and healthcare agencies, to help them connect with donors and manage data about their constituencies. The data consists of demographic information, Social Security numbers, driver’s license numbers, financial data, employment and wealth information, donation histories and protected health information.

Specifically, the settlement pertains to a 2020 ransomware breach perpetuated by a criminal ransomware group exposing highly sensitive information of more than 13,000 Blackbaud customers, which are mostly charities and non-profits. The breach exposed those organizations’ sensitive information, including personal information related to their donor bases and program participants. Blackbaud complied with the attackers' demand for ransom after being told that all the stolen data was destroyed.

The settlement resolves allegations from the state attorneys general that Blackbaud violated state consumer protection laws, breach-notification laws and the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations stemmed in part from the company’s failure to establish reasonable data security and remediate the known security gaps, allowing unauthorized individuals to gain access to Blackbaud’s network.

It was further alleged that Blackbaud failed to promptly, completely or accurately inform its customers about the breach, as required by law. The states claim those lapses significantly delayed the process of notifying those whose personal information was compromised, and, in some cases, there was no notification at all. This comes hard on the heels of Blackbaud’s $3 million settlement with the Securities and Exchange Commission in March of 2023, resolving multiple alleged violations of the Securities Act of 1933 arising from Blackbaud’s allegedly incomplete disclosures related to the same ransomware incident.

Under the settlement, Blackbaud must, among other requirements:

The settlement agreement is available here.

This case serves as another example that companies, including HIPAA covered entities, should carefully review the information security policies of their vendors and business associates to ensure compliance with applicable law, including the HIPAA Privacy and Security Rules. Companies that serve as business associates, or handle sensitive information must also have the proper protocol in place to ensure this information is protected.

If you have any questions regarding this settlement or regarding your compliance obligations under state law and the HIPAA Privacy and Security Rules, contact your Dinsmore health care attorney.




Read full article at: https://www.dinsmore.com/publications/blackbaud-reaches-49-5-million-multistate-settlement-over-data-breach/