The Charleston, SC-based fundraising service provider, Blackbaud, has agreed to a settlement with 49 states and DC and will pay a penalty of $49.5 million to resolve alleged violations of HIPAA and state consumer protection laws. In addition to the financial penalty, Blackbaud has agreed to implement a raft of security measures to address the issues identified by the state attorneys general in their investigation.
Blackbaud provides software to healthcare providers, educational institutions, and charities that allows them to connect with their donors and potential contributors. In July 2020, Blackbaud was attacked by a ransomware group, and while Blackbaud said it was able to prevent file encryption, by the time the attack was detected, more than 1 million files had been stolen. Those files contained the sensitive data of approximately 13,000 customers – a quarter of its customer base. Approximately 5.5 million individuals had their data stolen in the attack. Blackbaud paid a $230,000 ransom to prevent the release of the stolen data.
Blackbaud announced the breach on its website on July 16, 2020, and initially stated that the attackers did not access financial account information or Social Security numbers; however, a few days later its technology and customer relations personnel learned that those statements were erroneous. Then on August 4, 2020, Blackbaud notified the Securities and Exchange Commission that the risk of exfiltration of financial account information and Social Security numbers was hypothetical. At the end of September 2020, the company confirmed that financial account information and Social Security numbers had in fact been stolen. Blackbaud was determined to have violated the Securities Act and Exchange Act and Rules and paid a penalty of $3 million to resolve the SEC investigation.
A multistate investigation was launched by the state attorneys general in Indiana (Todd Rokita) and Vermont (Charity Clark), and was joined by virtually all US states and the District of Columbia. California was the only state that did not participate in the investigation as it is conducting its own investigation into the incident. Blackbaud was alleged to have failed to implement appropriate security measures and not addressed known security issues in a timely manner. Those failures allowed a ransomware group to access its systems and steal sensitive data. There were also breach response failures that resulted in delayed notifications to the affected individuals, and in some cases, notifications were not issued at all. These failures violated state consumer protection laws, data breach notification laws, and the Health Insurance Portability and Accountability Act (HIPAA).
Under the terms of the settlement, in addition to the financial penalty, Blackbaud is required to implement and maintain a comprehensive information security program and incident response program, ensure appropriate cybersecurity measures are implemented, improve its security awareness training program, conduct penetration testing, submit to third-party security audits annually for the next 7 years, and ensure that all security incidents are reported to the CEO and the board.
Blackbaud is also facing a consolidated class action lawsuit over the data breach and will likely have to agree to a settlement with the California attorney general.