FTC orders Blackbaud to report on data practices
Photo: Federal Trade Commission Building by the Carol M. Highsmith collection, licensed under LC-DIG-pplot-13734-01526
The Federal Trade Commission finalized an order Monday regarding Blackbaud, settling allegations that the cloud company failed to implement appropriate security for protecting data when it was attacked with ransomware in 2020.
The ruling follows separate monetary settlements with the U.S. Securities and Exchange Commission and multiple states.
WHY IT MATTERS
After an initial complaint in February, the FTC said in its final order that the cyberattack on Blackbaud went undetected for three months. The third-party vendor collects personally identifiable and protected health information for its revenue-cycle operations.
The FTC also noted in its announcement that Blackbaud waited nearly two months to notify its customers about the breach, and then misled consumers about the extent of the data stolen.
Under the settlement order, the trade agency requires Blackbaud to delete data it no longer needs and states that it is prohibited from "misrepresenting" its data-security and data-retention policies.
The company must also develop a comprehensive information security program that addresses complaints and report on data-deletion practices in a data-retention schedule for the agency.
It is also now required to notify the FTC if it experiences a future data breach that requires reporting to any other local, state or federal agency.
FTC Commissioner Andrew Ferguson did not participate in the decision, and Commissioner Melissa Holyoak was recused, according to an agency statement.
This past month, the company's board of directors rejected a $4.3 billion bid from Clearlake Capital Group, which currently owns an 18.3% stake in Blackbaud, according to Reuters last month. The private equity firm became an investor in 2020 and has made two bids to buy out the company, according to the story.
THE LARGER TREND
Last year, Blackbaud settled with the U.S. Securities and Exchange Commission for $3 million to address federal charges that it made misleading disclosures following the 2020 ransomware attack. Then, in October, Blackbaud agreed to pay 49 states and the District of Columbia $49.5 million to resolve investigations.
"Cyberattacks are always evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape," Mike Gianoni, the company's president and CEO, said in a statement after the multistate settlement.
Since 2009, FTC has expanded rules under its Health Breach Notification Rule to target health and wellness technology companies operating outside of HIPAA.
ON THE RECORD
"As a result of these failures, a hacker in early 2020 exploited weaknesses in Blackbaud’s networks, which went undetected for three months, allowing the hacker to remove massive amounts of unencrypted sensitive consumer data," said FTC officials in a statement.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.