Blackbaud Faces Another Lawsuit, as More Healthcare Victims Reported

November 24, 2020 - Another class-action lawsuit has been filed against Blackbaud following a ransomware attack that breached the data of more than 10 million individuals from well over 100 companies. In recent weeks, the number breach victims stemming from healthcare entities affected by the incident has increased by at least 955,000.

Earlier this year, Blackbaud was hit with a ransomware attack on its self-hosted environment, which compromised some of its client data. The incident was not discovered until May, though notices provided by impacted clients noted that the attack began three months earlier in February.

The attackers were able to obtain a subset of data from Blackbaud before the attack was contained. And officials said they paid the ransom demand to have the data returned with confirmation from the attackers the data had been destroyed.

But as noted in the lawsuit, “Blackbaud however cannot reasonably rely on the word of cybercriminals to ensure that this data was timely and properly destroyed and a copy was not made beforehand.”

Blackbaud clients impacted by the event began notifying individuals in August.

Northern Light Health Foundation in Maine was the first healthcare entity to report its patients and others with ties to the foundation were included in the breached data, and other entities began filing notices soon after, including Children’s Hospital of Pittsburgh Foundation and St. Luke’s Foundation.

In the last few weeks, a range of other healthcare entities have reported being impacted by the Blackbaud incident:

• AdventHealth Foundation Shawnee Mission (315,811)
• Spectrum Health Foundation (52,711)
• Greenwich Hospital (95,000)
• University Health Systems of Eastern Carolina, d/b/a Vidant Health 
• Methodist Hospital of Southern California Foundation (39,881)
• Sisters of Charity Health System (118,874)
• Mercy Health and Trinity Health (332,726)

Victims began filing lawsuits across the country in July, and by September, at least 23 lawsuits had been filed against the vendor. The latest filing was made in the US District Court of the Florida Middle District, Tampa Division, by an individual affected by the incident.

Heidi Imhof, a graduate of Stetson University College of Law, filed the lawsuit on behalf of other victims claiming Blackbaud failed to protect and safeguard personally identifiable information and failed to provide victims with timely, accurate, and adequate notice to the individuals impacted by the incident.

According to the lawsuit, the Blackbaud incident compromised data from Stetson University, including names, contact details, medical service information, dates of birth, and financial information.

The lawsuit alleges that the breach was caused by the vendor’s failure to implement adequate and reasonable cybersecurity measures and protocols necessary for protecting individuals’ PII stored in its cloud.

Further, Blackbaud “disregarded the rights of [individuals] by, inter alia, intentionally, willfully, recklessly, or negligently failing to take adequate and reasonable measures to ensure their data and cyber security systems were protected against unauthorized intrusions,” the suit alleges.

The suit also claims the vendor did not disclose it lacked the adequate security protections to safeguard client data, and that Blackbaud failed to monitor its systems to detect intrusions, as well as failing to timely detect the breach and provide victims with prompt and accurate notice of the incident.

Notably, the initial breach disclosures stressed that Social Security numbers were not impacted by the ransomware attack. However, a later filing with the Securities and Exchange Commission revealed that SSNs were indeed compromised for some of Blackbaud’s clients.

“Although Blackbaud claims that the unauthorized third party did not access financial information, the notice sent out by at least Vermont Public Radio, another one of Blackbaud’s customers, to its members about the Data Breach expressly indicates otherwise,” the lawsuit argues.

“Blackbaud’s claim that bank account information was not disclosed during the data breach is demonstrably false,” the suit continues. “An image of a check would, at the very least, contain the check holder’s name, address, bank routing number, and account number.”

Calling the breach a heightened fraud risk, the lawsuit seeks financial compensation for the time and funds individuals will need to spend to monitor for and defend against potential fraud attempts.

The lawsuit also seeks to compel Blackbaud to adopt reasonably sufficient security practices to safeguard data in its custody to prevent an occurence in the future.