Blackbaud will pay $49.5 million to 49 states and the District of Columbia to settle investigations into a 2020 ransomware event that exposed the personal information of millions of individuals nationwide. Blackbaud is a software company that sells tools for fundraising, nonprofit financial management, and education. Its customers include nonprofit organizations, foundations, schools, and healthcare organizations.
Blackbaud Hit by Ransomware Thieves
The cyber attack happened in May 2020, and Blackbaud disclosed it publicly in July 2020. Apparently, Blackbaud negotiated a ransom and paid the hackers in Bitcoin to prevent the publication or sale of the stolen data. Blackbaud said it received assurances from the hackers that all stolen data were deleted. It did not disclose how much it paid.
Note, however, that the FBI and cybersecurity experts advise against paying ransom because there are no guarantees that criminal hackers will keep their word, and ransom payments encourage additional attacks.
The personal data held by Blackbaud included contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information (PHI). The data breach affected 13,000 of Blackbaud’s customers.
Although a final count of the individuals affected isn’t known, estimates by DataBreaches.net and Suspectfile.com place the total at well over 20 million.
Individuals, Plaintiff Attorneys and Regulators React
In the wake of the breach, numerous class action lawsuits were filed in federal courts against Blackbaud by individuals affected. Then state attorneys general across the country began to collaborate on an investigation which eventually led to this $50 million settlement.
This settlement payment is on top of a $3 million civil money penalty paid to the Securities and Exchange Commission (SEC) to settle an investigation into alleged misleading disclosures to the public about the 2020 cybersecurity incident.
States Can Enforce HIPAA
As a vendor to hospitals doing fundraising, Blackbaud is a HIPAA business associate. When the Blackbaud hack was announced in 2020, it was reported that nearly 3 million individuals served by healthcare organizations were affected. That number has grown to more than 11 million as more has been learned since the incident occurred.
State attorneys general brought the case under their right to enforce HIPAA and relevant state laws. The Blackbaud settlement is the most far reaching example of HIPAA enforcement by state attorneys general to date, with 49 states and the District of Columbia acting together.
Each state has its own separate settlement agreement, reflecting its own laws in addition to the HIPAA federal law, e.g., privacy, consumer protection, deceptive practices, etc.
In addition to the payments, highlights from what the settlements require of Blackbaud include:
- Improvements to cybersecurity protections
- Implement network segmentation, patch management systems and more
- Implement an incident response plan to manage potential future security incidents
- Establish breach notification policies and procedures
- Enhance employee cybersecurity training
- Allow third-party assessments of its compliance for seven years
- Create procedures to assist customers in the event of a breach
- Report all incidents to the company’s CEO and board
HIPAA Compliance Prevents Disaster and Saves Money
Following HIPAA and maintaining strong cybersecurity protections is the best defense against cybersecurity attacks.
Following HIPAA also provides a strong defense in lawsuits and investigations because it shows a high standard of care. Organizations paying the highest settlements are ones that have not paid close attention to HIPAA, that don’t do an annual risk analysis and fail to train employees adequately.