[BreachExchange] Blackbaud Faces Another Lawsuit, as More Healthcare Victims Reported

[Destry Winant]

https://healthitsecurity.com/news/blackbaud-faces-another-lawsuit-as-more-healthcare-victims-reported

November 24, 2020 - Another class-action lawsuit has been filed
against Blackbaud following a ransomware attack that breached the data
of more than 10 million individuals from well over 100 companies. In
recent weeks, the number of healthcare entities affected by the
incident has increased by at least 955,000.

Earlier this year, Blackbaud was hit with a ransomware attack on its
self-hosted environment, which compromised some of its client data.
The incident was not discovered until May, though notices provided by
impacted clients noted that the attack began three months earlier in
February.

The attackers were able to obtain a subset of data from Blackbaud
before the attack was contained. And officials said they paid the
ransom demand to have the data returned with confirmation from the
attackers the data had been destroyed.

Dig Deeper

Blackbaud Confirms Hackers Stole Some SSNs, as Lawsuits Increase
1M Inova Health Individuals Added to Blackbaud Breach Victim Tally
Blackbaud Ransomware Hack Affects 657K Maine Health System Donors

But as noted in the lawsuit, “Blackbaud however cannot reasonably rely
on the word of cybercriminals to ensure that this data was timely and
properly destroyed and a copy was not made beforehand.”

Blackbaud clients impacted by the event began notifying individuals in August.

Northern Light Health Foundation in Maine was the first healthcare
entity to report its patients and others with ties to the foundation
were included in the breached data, and other entities began filing
notices soon after, including Children’s Hospital of Pittsburgh
Foundation and St. Luke’s Foundation.

In the last few weeks, a range of other healthcare entities have
reported being impacted by the Blackbaud incident:

AdventHealth Foundation Shawnee Mission (315,811)
Spectrum Health Foundation (52,711)
Greenwich Hospital (95,000)
University Health Systems of Eastern Carolina, d/b/a Vidant Health
Methodist Hospital of Southern California Foundation (39,881)
Sisters of Charity Health System (118,874)
Mercy Health and Trinity Health (332,726)

Victims began filing lawsuits across the country in July, and by
September, at least 23 lawsuits had been filed against the vendor. The
latest filing was made in the US District Court of the Florida Middle
District, Tampa Division, by an individual affected by the incident.

Heidi Imhof, a graduate of Stetson University College of Law, filed
the lawsuit on behalf of other victims claiming Blackbaud failed to
protect and safeguard personally identifiable information and failed
to provide victims with timely, accurate, and adequate notice to the
individuals impacted by the incident.

According to the lawsuit, the Blackbaud incident compromised data from
Stetson University, including names, contact details, medical service
information, dates of birth, and financial information.

The lawsuit alleges that the breach was caused by the vendor’s failure
to implement adequate and reasonable cybersecurity measures and
protocols necessary for protecting individuals’ PII stored in its
cloud.

Further, Blackbaud “disregarded the rights of [individuals] by, inter
alia, intentionally, willfully, recklessly, or negligently failing to
take adequate and reasonable measures to ensure their data and cyber
security systems were protected against unauthorized intrusions,” the
suit alleges.

The suit also claims the vendor did not disclose it lacked the
adequate security protections to safeguard client data, and that
Blackbaud failed to monitor its systems to detect intrusions, as well
as failing to timely detect the breach and provide victims with prompt
and accurate notice of the incident.

Notably, the initial breach disclosures stressed that Social Security
numbers were not impacted by the ransomware attack. However, a later
filing with the Securities and Exchange Commission revealed that SSNs
were indeed compromised for some of Blackbaud’s clients.

“Although Blackbaud claims that the unauthorized third party did not
access financial information, the notice sent out by at least Vermont
Public Radio, another one of Blackbaud’s customers, to its members
about the Data Breach expressly indicates otherwise,” the lawsuit
argues.

“Blackbaud’s claim that bank account information was not disclosed
during the data breach is demonstrably false,” the suit continues. “An
image of a check would, at the very least, contain the check holder’s
name, address, bank routing number, and account number.”

Calling the breach a heightened fraud risk, the lawsuit seeks
financial compensation for the time and funds individuals will need to
spend to monitor for and defend against potential fraud attempts.

The lawsuit also seeks to compel Blackbaud to adopt reasonably
sufficient security practices to safeguard data in its custody to
prevent an occurence in the future.