Blackbaud Ransomware Breach Victims, Lawsuits Pile UpMore Entities Reporting Breaches Tied to Attack; Millions Affected
Story and chart have been updated to reflect additional breach reports posted on the HHS OCR HIPAA Breach Reporting Tool website.
As the tally of reported heath data breaches related to the May ransomware attack on Blackbaud continues to climb, so do the number of lawsuits filed against the cloud-based fundraising software vendor.
As of Thursday, more than three dozen Blackbaud-related health data breaches affecting about 6 million individuals had been posted to the Department of Health and Human Services' HIPAA Breach Reporting Tool website since the company began notifying clients in the healthcare sector and other affected industries - including universities and nonprofit organizations - about the ransomware incident the company discovered in May.
Commonly called the "wall of shame", the HHS Office for Civil Rights website lists health data breaches impacting 500 or more individuals.
Meanwhile, at least 10 lawsuits seeking class-action status have been filed against Charleston, South Carolina-based Blackbaud.
10 Largest Reported Blackbaud Health Data Breaches
|Breached Entity||Individuals Affected|
|Inova Health System||1.05 Million|
|Northern Light Health||657,000|
|Saint Luke's Foundation||360,000|
|NorthShore University HealthSystem||350,000|
|Iowa Health System dba UnityPoint Health||274,000|
|Virginia Mason Medical Center||245,000|
|University of Tennessee Medical Center||235,000|
|Christ Hospital Health Network||183,000|
One of the lawsuits filed in California federal court earlier this month says the May ransomware attack and data breach affected organizations whose data and servers were managed, maintained and secured by Blackbaud. The clients' data and servers contained identifying, sensitive and personal data from students, patients, donors and other individual users, the complaint notes.
"As a result of the data breach, plaintiffs and thousands of other class member users suffered ascertainable losses in the form of out-of-pocket expenses and the value of their time reasonably incurred to remedy or mitigate the effects of the attack," alleges the complaint filed by plaintiffs Mamie Estes and Shawn Regan.
"Plaintiffs' and class members' sensitive personal information - which was entrusted to defendant, its officials and agents - was compromised and unlawfully accessed due to the data breach. Information compromised in the data breach included a copy of a subset of information retained by Blackbaud, including names, addresses, phone numbers and other personal information," the lawsuit states.
The identities and private Information of individuals impacted by the breach are now at risk because of Blackbaud's "negligence," the California lawsuit alleges.
Blackbaud paid a ransom to the attackers in exchange for the hackers' "confirmation" that they had destroyed a copy of customer data they had stolen, the company said in a notification statement on its website.
But the lawsuit claims the company "cannot reasonably maintain that the data thieves destroyed the subset copy simply because the defendant paid the ransom and the data thieves confirmed the copy was destroyed."
Blackbaud maintained the individuals' private information on a shared network, server and software, and it didn't maintain adequate security protections, the lawsuit contends.
In a statement provided to Information Security Media Group about the lawsuits, the company says, "Blackbaud disagrees with the allegations and intends to demonstrate they are without merit."
Blackbaud declined to comment on the total number of its clients and individuals who were affected by the ransomware incident.
Long List of Victims
Besides healthcare sector entities, others affected by the Blackbaud incident include Valley City State University, the University of North Dakota, North Dakota State University, Minot State University, the University of Bridgeport, the West Virginia University Foundation and Emerson College.
Also affected were nonprofit organizations, including National Public Radio stations, the Vermont Food Bank and the Episcopal Relief & Development organization, as well as a number of institutions outside the U.S., including Canada's University of Western Ontario and New Zealand's University of Auckland (see Blackbaud's Bizarre Ransomware Attack Notification).
The Blackbaud incident shines a bright spotlight on the increasing risk that vendors pose to health data and other sensitive information, some legal experts note.
A key issue for plaintiffs is whether Blackbaud is considered an "agent" of the HIPAA covered entities under the federal common law of agency, says regulatory attorney Paul Hales of law firm Hales Law Group. That's because if it's acting as an agent, then Blackbaud's clients could be liable for its security mishaps, he says.
"It's common for covered entities to make business associates their agents by mistake because they draft contracts that create an agency relationship," he says. "The federal common law of agency is incorporated in the HIPAA rules, and boilerplate contract language that is appropriate in other fields can create an agency relationship between a covered entity and business associate."
The Blackbaud incident is similar to the cyber incident reported in March 2019 by the American Medical Collection Agency, which affected dozens of its healthcare sector clients, including large medical testing laboratories, and more than 20 million individuals.
As a result of the breach related legal actions and other response expenses, AMCA last June filed for bankruptcy.
Subsequently, several lawsuits tied to the breach were filed against some of AMCA's largest clients - including medical test laboratories Quest Diagnostics and LabCorp - whose patient data was affected by the incident (see Multiple Class Action Lawsuits Filed in AMCA Breach).
The Blackbaud ransomware incident is a reminder to healthcare organizations about important security risk issues.
"A mega-breach like this ... will likely result in many taking a closer look to re-examine their own security infrastructure," says Susan Lucci, senior privacy and security consultant at tw-Security.
"It is essential that we remind ourselves there is no 100% guarantee to ensure data is secure from any potential hacking or breach. Cybercriminal processes evolve, and people will continue to make mistakes that can lead to a security incident."
Healthcare entities should take a hard look at what information is being provided to their vendors and "inquire how the data is partitioned or segregated to reduce the possibility of a data breach affecting multiple customers again," Lucci stresses.