Blackbaud settles ransomware data breach investigations for $49.5M
Photo: NorthShore University HealthSystem
Blackbaud served 35,000 nonprofit fundraising entities, including many healthcare organizations, when it was infected in 2020 with ransomware and data – personally identifiable information and protected health information like admission and discharge dates and physician names and specialties – was exfiltrated.
WHY IT MATTERS
In the multistate settlement over its data security practices and response to the breach, Blackbaud said it has agreed to maintain data protection compliance and improve cybersecurity programs, and not make "misleading statements related to its data protection, privacy, security, confidentiality, integrity, breach notification requirements and similar matters."
The company also noted in a statement Thursday that it would make the payments from existing liquidity reflected as a contingent liability in its June financial statement.
THE LARGER TREND
In March, Blackbaud settled with the U.S. Securities and Exchange Commission for $3 million to address federal charges that it made misleading disclosures about the 2020 ransomware attack, which impacted more than 13,000 customers and exposed the PII of millions of Americans nationwide.
According to the Reuters report, the SEC said Blackbaud's disclosure indicated that the attacker had not accessed bank account information or Social Security numbers of donors. The agency also said an August 2020 quarterly filing omitted material information about the scope of the attack.
In July 2020, the South Carolina-based vendor informed the NorthShore University HealthSystem in Chicago that 348,000 of its patients had information exposed in the breach. At the time, Blackbaud said no credit card, bank account information, social security numbers, or user login credentials and passwords were accessed.
NorthShore reportedly looked further into the matter and discovered that, while its medical records were not breached, the data on Blackbaud's servers included admission and discharge dates, locations of services, and physician names.
Third-party vendors like Blackbaud are a significant attack surface for the healthcare ecosystem, and several leaders are urging the federal government to go on the offensive to protect the critical sector.
If they successfully hack one mission-critical vendor, they stand to gain access to PHI for hundreds of hospitals, said John Riggi, national advisor for cybersecurity and risk for the American Hospital Association.
"The cyber adversaries have mapped our sector," he told Healthcare IT News in December.
"They have figured out where the key strategic nodes are – those mission-critical third parties that have either access to bulk data or they themselves have aggregated it," he said.
ON THE RECORD
"At Blackbaud, protecting customers' and their constituents' privacy has always been, and will continue to be, one of our most important priorities," said Mike Gianoni, the company's president and CEO, in a statement.
"Cyberattacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape," he assured.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.