In May 2020, the cloud software firm Blackbaud experienced a ransomware attack. As is well-known in human-operated ransomware attacks, the attackers exfiltrated files prior to encrypting files. A number of the stolen data files included the fundraising data of its healthcare clients.
Rady Children’s Hospital in San Diego is one of the healthcare providers affected. It is California’s largest children’s hospital when it comes to admissions. A proposed class-action lawsuit alleges that Rady was responsible for failing to protect the sensitive information of 19,788 people which the hackers obtained through Blackbaud’s donor management software solution.
The lawsuit claims Rady did not employ sufficient security measures and didn’t make certain Blackbaud had enough security measures set up to safeguard ePHI and make sure it remained private. The lawsuit states persons impacted by the breach are facing an impending, immediate, significant and continuing increased risk of identity theft and fraud due to the breach and Rady’s neglect.
Blackbaud found out about the ransomware attack in May 2020. The investigation confirmed the hackers got access to the fundraising files of its healthcare customers from February 7 to June 4, 2020. Blackbaud mentioned the hackers were taken out of the network the moment the breach was found out but had learned that the attackers acquired a section of client files.
Blackbaud made the decision to give the ransom demand to make certain the stolen information was deleted. The attackers gave assurances that the records were permanently destroyed. Rady issued breach notification letters explaining that the types of data likely obtained by the attackers contained patients’ names, birth dates, addresses, doctors’ names, and the department that provided the medical services.
The lawsuit claims Rady cannot reasonably maintain that the hackers deleted the plaintiffs’ personal information. Based on the complaint, Blackbaud did not provide confirmation or additional details concerning the disposition of the files to verify that the stolen records were deleted. The lawsuit additionally states neither Rady nor Blackbaud knew how the attackers exfiltrated information, and whether it was transmitted safely and if it was intercepted by other persons.
As per the lawsuit, Rady had the required means to secure patient data however missed the implementation of appropriate security. The plaintiffs are seeking compensation, continuous protection against identity theft and fraud, as well as a court order to impose adjustments to Rady’s security procedures to make sure breaches such as this, and several others mentioned in the report, do not occur again.
Blackbaud is furthermore facing several class-action lawsuits associated with the breach. No less than 23 putative class action lawsuits were filed against Blackbaud according to its 2020 Q3 Quarterly Filing with the U.S. Securities and Exchange Commission. The lawsuits have been submitted in 17 federal courts, 4 state courts, and 2 Canadian courts. Each claims breach victims have experienced harm because of the theft of their personal information.
Blackbaud also stated receiving over 160 claims from its customers and their lawyers in Canada, the U.S., and U.K. Blackbaud is additionally being investigated by government institutions and regulators, which include 43 state Attorneys General and the District of Columbia, Federal Trade Commission, the Department of Health and Human Services, Office of the Privacy Commissioner of Canada, and the U.K GDPR data protection authority, the Information Commissioner’s Office.