Blackbaud and Marietta Area Health Care Settles Alleged HIPAA Violations

Blackbaud and 49 states and the District Of Columbia have agreed on a $49.5 million settlement to take care of accusations of inadequate data security measures and an insufficient reaction to its 2020 ransomware attack. Delaware corporation, Blackbaud, is based in Charleston, South Carolina, that offers donor relationship management software systems to a number of companies, which include healthcare companies, schools, and religious and cultural institutions.

Blackbaud encountered a ransomware attack on May 14, 2020 that led to the extraction of sensitive donor data. Although data encryption was in place, over a million files were compromised during the attack, including information from about one-fourth of its customers (13,000), which include numerous healthcare companies. Blackbaud reported the ransomware attack last July 16, 2020. The affected clients then informed their donors concerning their stolen data, nonetheless, Blackbaud only confirmed the theft of financial data and Social Security numbers in late September. Earlier statements released in connection with the breach initially stated that no financial data or SSNs were stolen, then the probability of financial data and SSNs theft was only hypothetical. Blackbaud had earlier paid $3 million to resolve an investigation by the Securities and Exchange Commission.

The attorneys general in Vermont and Indiana led the multistate investigation and reviewed the data security measures at Blackbaud before the data breach and its reaction upon discovery of a security breach. Business associate Blackbaud needs to adhere to particular conditions of the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. Those specifications consist of implementing and keeping proper administrative, physical, and technical safeguards to make sure the integrity, confidentiality, and availability of any protected health information (PHI) it has access to. The investigation discovered those practices to be insufficient and Blackbaud hadn’t dealt with identified security vulnerabilities. Because of those problems, unauthorized persons were able to acquire access to its system and steal the sensitive information of its clients and their donors.

Blackbaud likewise did not immediately, totally, or correctly notify its clients regarding the data breach. Inadequacies in its incident response program retarded the procedure of informing the impacted clients and, in some instances, those clients were not informed in any way. The failures in security and data breach notification were considered violations of the HIPAA Policies and state consumer protection regulations.

Aside from paying a $49.5 million financial penalty, the settlement agreement calls for the following actions from Blackbaud:

  • Applying and maintaining an extensive data security program.
  • Applying and maintaining a breach response plan to ensure a proper response to any potential security incidents.
  • Create breach notification conditions, which call for Blackbaud to give proper help to its clients and assist its customer compliance with appropriate notice in case of any potential breach.
  • Implement data safeguards and configurations, which include total database encryption and dark web tracking.
  • Apply network segmentation, attack detection tools, patch management procedures, firewalls, access controls, record and check system notifications for indications of unauthorized action, and perform penetration testing.
  • Submit any security incident report to its Chief Executive Officer and the board.
  • Improve worker training.
  • Earmark proper resources and assistance for cybersecurity.
  • Enable third-party checks of its compliance with the arrangement for seven years.

Avoid misrepresenting information about the processing, keeping, and securing of personal data; the probability that personal data impacted by a security incident could be at risk of more disclosure or improper use; and breach notification specifications as per state legislation and HIPAA.

California was the only state that did not get involved in the action, as it is performing its own enquiry. Besides a possible settlement with California, Blackbaud is resolving a combined class action lawsuit associated with the data breach.

Marietta Area Health Care Pays $1.75 Million to Settle Class Action Data Breach Lawsuit

Not-for-profit health system, Marietta Area Health Care, based in Ohio that works as Memorial Health System, has offered a $1.75 million settlement to take care of a class action lawsuit that claimed it was unable to secure patient health information, causing a cyberattack and information breach.

Malware was discovered inside its system on August 14, 2021, and the investigation confirmed that hackers got access to its IT network systems from July 10, 2021, to Aug. 15, 2021. It was also confirmed in the middle of September that patient information was possibly accessed or obtained in the attack. The analysis of the impacted files was finished on November 1, 2021, when it was affirmed that the PHI of over 215,000 patients was compromised, which includes names, addresses, health/treatment data, medical insurance details, and Social Security numbers. Impacted patients were informed in January 2022 and were provided free credit tracking services.

The Tucker v. Marietta Area Health Care d/b/a Memorial Health System lawsuit was submitted in the U.S. District Court for the Southern District of Ohio. Allegedly, the defendants did not put into action affordable and proper security steps to ensure the privacy of patient information. Implementing those measures could have prevented the cyberattack.

Instead of facing legal action and dealing with the expenditure and uncertainty of trial, Marietta Area Health Care offered a settlement to resolve all claims associated with the cyberattack and data breach without admitting wrongdoing. As per the conditions of the settlement, class members – all people who were informed by mail concerning the cyberattack may file claims and get as much as $5,000 as payment for out-of-pocket expenditures sustained because of the data breach, which include bank charges, credit costs, reimbursement for about 4 hours of lost time at $25 an hour, and any unreimbursed losses to ID theft and fraud. After covering all claims, all class members are qualified to get a percentage of any leftover negotiation funding, which is predicted to be about $50.

Claims should be published by October 15, 2023. The last approval hearing is scheduled for December 4, 2023.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at