In a significant development, Blackbaud, a provider of donor relationship management software, has reached a $49.5 million settlement with attorneys general from 49 states and the District of Columbia. This settlement comes following allegations of insufficient data security practices and a sluggish response to a ransomware attack that occurred in 2020, which resulted in the unauthorized access and theft of sensitive donor information, impacting approximately one-quarter of Blackbaud’s client base, including healthcare organizations. The resolution of this case follows a rigorous multistate investigation led by attorneys general from Indiana and Vermont.
The ransomware attack that shook Blackbaud took place on May 14, 2020. This cyberattack led to the unauthorized access and exfiltration of more than one million files, including highly sensitive data from approximately 13,000 clients. The stolen information encompassed donor particulars and other confidential data. Remarkably, Blackbaud became aware of the attack on the same day but only publicly disclosed the breach on July 16, 2020. Subsequently, affected clients promptly notified their donors regarding the breach and the theft of their personal information.
Insufficient Data Security Practices:
The core of the multistate investigation revolved around Blackbaud’s data security practices in the lead-up to the breach and its response once the breach was discovered. As a business associate of HIPAA-covered entities, Blackbaud was legally obligated to adhere to specific provisions of the Health Insurance Portability and Accountability Act (HIPAA). Nevertheless, the investigation uncovered severe deficiencies in Blackbaud’s security measures, highlighting the company’s failure to address known security vulnerabilities. These shortcomings ultimately facilitated unauthorized individuals’ access to Blackbaud’s network and the subsequent theft of sensitive customer and donor data.
The investigation into Blackbaud’s actions in the aftermath of the breach revealed numerous shortcomings. There were critical deficiencies in the company’s incident response plan, leading to delays in notifying affected customers. In some instances, customers were not informed at all, a clear violation of both HIPAA Rules and state consumer protection laws. The delayed and incomplete communication with customers significantly exacerbated the impact of the attack.
Source: Hipaa Journal
Featured News
Judge Appoints Law Firms to Lead Consumer Antitrust Litigation Against Apple
Dec 22, 2024 by
CPI
Epic Health Systems Seeks Dismissal of Antitrust Suit Filed by Particle Health
Dec 22, 2024 by
CPI
Qualcomm Secures Partial Victory in Licensing Dispute with Arm, Jury Splits on Key Issues
Dec 22, 2024 by
CPI
Google Proposes Revised Revenue-Sharing Limits Amid Antitrust Battle
Dec 22, 2024 by
CPI
Japan’s Antitrust Authority Expected to Sanction Google Over Monopoly Practices
Dec 22, 2024 by
CPI
Antitrust Mix by CPI
Antitrust Chronicle® – CRESSE Insights
Dec 19, 2024 by
CPI
Effective Interoperability in Mobile Ecosystems: EU Competition Law Versus Regulation
Dec 19, 2024 by
Giuseppe Colangelo
The Use of Empirical Evidence in Antitrust: Trends, Challenges, and a Path Forward
Dec 19, 2024 by
Eliana Garces
Some Empirical Evidence on the Role of Presumptions and Evidentiary Standards on Antitrust (Under)Enforcement: Is the EC’s New Communication on Art.102 in the Right Direction?
Dec 19, 2024 by
Yannis Katsoulacos
The EC’s Draft Guidelines on the Application of Article 102 TFEU: An Economic Perspective
Dec 19, 2024 by
Benoit Durand