In a significant development, Blackbaud, a provider of donor relationship management software, has reached a $49.5 million settlement with attorneys general from 49 states and the District of Columbia. This settlement comes following allegations of insufficient data security practices and a sluggish response to a ransomware attack that occurred in 2020, which resulted in the unauthorized access and theft of sensitive donor information, impacting approximately one-quarter of Blackbaud’s client base, including healthcare organizations. The resolution of this case follows a rigorous multistate investigation led by attorneys general from Indiana and Vermont.
The ransomware attack that shook Blackbaud took place on May 14, 2020. This cyberattack led to the unauthorized access and exfiltration of more than one million files, including highly sensitive data from approximately 13,000 clients. The stolen information encompassed donor particulars and other confidential data. Remarkably, Blackbaud became aware of the attack on the same day but only publicly disclosed the breach on July 16, 2020. Subsequently, affected clients promptly notified their donors regarding the breach and the theft of their personal information.
Insufficient Data Security Practices:
The core of the multistate investigation revolved around Blackbaud’s data security practices in the lead-up to the breach and its response once the breach was discovered. As a business associate of HIPAA-covered entities, Blackbaud was legally obligated to adhere to specific provisions of the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, the investigation uncovered severe deficiencies in Blackbaud’s security measures, highlighting the company’s failure to address known security vulnerabilities. These shortcomings ultimately facilitated unauthorized individuals’ access to Blackbaud’s network and the subsequent theft of sensitive customer and donor data.
The investigation into Blackbaud’s actions in the aftermath of the breach revealed numerous shortcomings. There were critical deficiencies in the company’s incident response plan, leading to delays in notifying affected customers. In some instances, customers were not informed at all, a clear violation of both HIPAA Rules and state consumer protection laws. The delayed and incomplete communication with customers significantly exacerbated the impact of the attack.
Source: Hipaa Journal
Featured News
Big Tech Braces for Potential Changes Under a Second Trump Presidency
Nov 6, 2024 by
CPI
Trump’s Potential Shift in US Antitrust Policy Raises Questions for Big Tech and Mergers
Nov 6, 2024 by
CPI
EU Set to Fine Apple in First Major Enforcement of Digital Markets Act
Nov 5, 2024 by
CPI
Six Indicted in Federal Bid-Rigging Schemes Involving Government IT Contracts
Nov 5, 2024 by
CPI
Ireland Secures First €3 Billion Apple Tax Payment, Boosting Exchequer Funds
Nov 5, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – Remedies Revisited
Oct 30, 2024 by
CPI
Fixing the Fix: Updating Policy on Merger Remedies
Oct 30, 2024 by
CPI
Methodology Matters: The 2017 FTC Remedies Study
Oct 30, 2024 by
CPI
U.S. v. AT&T: Five Lessons for Vertical Merger Enforcement
Oct 30, 2024 by
CPI
The Search for Antitrust Remedies in Tech Leads Beyond Antitrust
Oct 30, 2024 by
CPI