Breach Notification , Fraud Management & Cybercrime , Incident & Breach Response

Blackbaud Ransomware Breach Victims, Lawsuits Pile Up

More Entities Reporting Breaches Tied to Attack; Millions Affected
Blackbaud Ransomware Breach Victims, Lawsuits Pile Up
Blackbaud's headquarters in Charleston, South Carolina

Story and chart have been updated to reflect additional breach reports posted on the HHS OCR HIPAA Breach Reporting Tool website.

See Also: Double-Click on Risk-Based Cybersecurity

As the tally of reported heath data breaches related to the May ransomware attack on Blackbaud continues to climb, so do the number of lawsuits filed against the cloud-based fundraising software vendor.

As of Thursday, more than three dozen Blackbaud-related health data breaches affecting about 6 million individuals had been posted to the Department of Health and Human Services’ HIPAA Breach Reporting Tool website since the company began notifying clients in the healthcare sector and other affected industries – including universities and nonprofit organizations - about the ransomware incident the company discovered in May.

Commonly called the “wall of shame”, the HHS Office for Civil Rights website lists health data breaches impacting 500 or more individuals.

Meanwhile, at least 10 lawsuits seeking class-action status have been filed against Charleston, South Carolina-based Blackbaud.

10 Largest Reported Blackbaud Health Data Breaches

Breached Entity Individuals Affected
Inova Health System 1.05 Million
Northern Light Health 657,000
SCL Health 441,000*
Saint Luke's Foundation 360,000
NorthShore University HealthSystem 350,000
Iowa Health System dba UnityPoint Health 274,000
Virginia Mason Medical Center 245,000
University of Tennessee Medical Center 235,000
Allina Health 200,000
Christ Hospital Health Network 183,000
*Total from three HIPAA breach reports filed by SCL Health units
Sources: U.S. Dept. of Health and Human Services, breached healthcare entities

Lawsuit Allegations

One of the lawsuits filed in California federal court earlier this month says the May ransomware attack and data breach affected organizations whose data and servers were managed, maintained and secured by Blackbaud. The clients’ data and servers contained identifying, sensitive and personal data from students, patients, donors and other individual users, the complaint notes.

“As a result of the data breach, plaintiffs and thousands of other class member users suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack,” alleges the complaint filed by plaintiffs Mamie Estes and Shawn Regan.

“Plaintiffs’ and class members’ sensitive personal information - which was entrusted to defendant, its officials and agents - was compromised and unlawfully accessed due to the data breach. Information compromised in the data breach included a copy of a subset of information retained by Blackbaud, including names, addresses, phone numbers and other personal information,” the lawsuit states.

That complaint, as well as several of the other lawsuits, claims negligence, invasion of privacy, breach of contract as well as violations of state laws, such as the California Consumer Privacy Act.

The identities and private Information of individuals impacted by the breach are now at risk because of Blackbaud’s “negligence,” the California lawsuit alleges.

Blackbaud paid a ransom to the attackers in exchange for the hackers’ “confirmation” that they had destroyed a copy of customer data they had stolen, the company said in a notification statement on its website.

But the lawsuit claims the company “cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed.”

Blackbaud maintained the individuals’ private information on a shared network, server and software, and it didn’t maintain adequate security protections, the lawsuit contends.

In a statement provided to Information Security Media Group about the lawsuits, the company says, “Blackbaud disagrees with the allegations and intends to demonstrate they are without merit.”

Blackbaud declined to comment on the total number of its clients and individuals who were affected by the ransomware incident.

Long List of Victims

Besides healthcare sector entities, others affected by the Blackbaud incident include Valley City State University, the University of North Dakota, North Dakota State University, Minot State University, the University of Bridgeport, the West Virginia University Foundation and Emerson College.

Also affected were nonprofit organizations, including National Public Radio stations, the Vermont Food Bank and the Episcopal Relief & Development organization, as well as a number of institutions outside the U.S., including Canada's University of Western Ontario and New Zealand's University of Auckland (see Blackbaud’s Bizarre Ransomware Attack Notification).

Vendor Risk

The Blackbaud incident shines a bright spotlight on the increasing risk that vendors pose to health data and other sensitive information, some legal experts note.

A key issue for plaintiffs is whether Blackbaud is considered an “agent” of the HIPAA covered entities under the federal common law of agency, says regulatory attorney Paul Hales of law firm Hales Law Group. That’s because if it’s acting as an agent, then Blackbaud’s clients could be liable for its security mishaps, he says.

“It’s common for covered entities to make business associates their agents by mistake because they draft contracts that create an agency relationship,” he says. “The federal common law of agency is incorporated in the HIPAA rules, and boilerplate contract language that is appropriate in other fields can create an agency relationship between a covered entity and business associate.”

Similar Incident

The Blackbaud incident is similar to the cyber incident reported in March 2019 by the American Medical Collection Agency, which affected dozens of its healthcare sector clients, including large medical testing laboratories, and more than 20 million individuals.

As a result of the breach related legal actions and other response expenses, AMCA last June filed for bankruptcy.

Subsequently, several lawsuits tied to the breach were filed against some of AMCA’s largest clients - including medical test laboratories Quest Diagnostics and LabCorp – whose patient data was affected by the incident (see Multiple Class Action Lawsuits Filed in AMCA Breach).

Taking Precautions

The Blackbaud ransomware incident is a reminder to healthcare organizations about important security risk issues.

“A mega-breach like this … will likely result in many taking a closer look to re-examine their own security infrastructure,” says Susan Lucci, senior privacy and security consultant at tw-Security.

“It is essential that we remind ourselves there is no 100% guarantee to ensure data is secure from any potential hacking or breach. Cybercriminal processes evolve, and people will continue to make mistakes that can lead to a security incident.”

Healthcare entities should take a hard look at what information is being provided to their vendors and “inquire how the data is partitioned or segregated to reduce the possibility of a data breach affecting multiple customers again,” Lucci stresses.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.