In May 2020, the cloud software group Blackbaud was targeted and attacked with ransomware. As is typical in human managed ransomware attacks, data was stolen before file encryption took place. A portion of the stolen data included the fundraising databases of its healthcare customers.
One of the impacted healthcare clients was Rady Children’s Hospital-San Diego, the biggest children’s hospital in California. A class action lawsuit has been proposed that claims Rady was at fault for failing to secure the sensitive data of 19,788 individuals which was obtained by the hackers through Blackbaud’s donor management software solution.
The lawsuit claims Rady failed to put in place adequate security measures and failed to see to it that Blackbaud had proper security measures in place to safeguard ePHI and ensure it remained private and confidential. The lawsuit claims that those impacted by the breach now face “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud as a result of the breach and Rady’s negligence.
Blackbaud discovered the ransomware attack in May 2020. The firm’s investigation found the cybercriminals had access to the fundraising databases of its healthcare clients between February 7 and June 4, 2020. Blackbaud said the cybercriminals were removed from the network as soon as the breach was identified but discovered a subset of client data had been obtained by the hackers.
Blackbaud paid the ransom to see to it that the stolen data was permanently erased. The hackers provided proof that the data had been permanently deleted. In its breach notification letters, Rady outlined that the range of information potentially obtained by the hackers was limited to patients’ names, addresses, dates of birth, physicians’ names, and the department where medical services were provided.
The lawsuit claims that Rady cannot reasonably maintain that the hackers permanently deleted the plaintiffs’ personal information. It says: “On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed.” The lawsuit also claims that neither Rady nor Blackbaud are aware how the hackers transferred the data, and whether it was done so using a secure method and could not have been intercepted by other people.
According to the legal action filed, Rady had the required resources to safeguard patient data but neglected to implement proper security measures. The plaintiffs seek compensation, long-term security against identity theft and fraud, and the courts to order changes to Rady’s security policies to see to it that breaches such as this, and several others cited in the report, are prevented in the future.
Blackbaud is also dealing with its own class action lawsuits in relation to the breach. 23 putative class action lawsuits have been initiated against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The legal actions have been submitted in 17 federal courts, 4 state courts, and 2 Canadian courts. Each claims victims of the breach have been impacted due to the theft of their personal data.
Blackbaud also explained in the filing that over 160 claims have been registered by its customers and their attorneys in the U.S., U.K., and Canada. Blackbaud is also being audited by government bodies and regulators, including 43 state Attorneys General and the District of Columbia, the Department of Health and Human Services, Federal Trade Commission, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.