Blackbaud has decided to pay $6.75 million to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and California’s data privacy regulations that caused a major data breach in 2020. Blackbaud offers data management software programs to nonprofit businesses that can be used for fundraising campaigns. The software retains sensitive data which include names, bank account details, Social Security numbers, and medical data.
In May 2020, Blackbaud reported that hackers acquired access to internal programs. At first, Blackbaud gave a statement about the safety of consumers’ personal data. Later, Blackbaud issued a statement about the compromise of consumer information but did not send prompt breach notifications to the impacted persons.
The California Department of Justice investigated the data breach and confirmed that hackers got access to internal systems and was not discovered for three months. The attack happened because Blackbaud failed to put in place the proper security measures and adhere to standard security protocols. For example, despite keeping large volumes of highly sensitive information, Blackbaud failed to monitor suspicious activity inside its systems, did not implement multifactor authentication, and did not update security standards. Before the data breach, Blackbaud gave false statements regarding its security procedures and misrepresentations concerning the data breach. Blackbaud made the mistake of storing records for a longer time than required, including the data of consumers made available by clients who no longer use Blackbaud’s services.
On June 13, 2024, California Attorney General Rob Bonta reported reaching a settlement with Blackbaud to settle alleged HIPAA and California’s consumer privacy and data protection violations. Besides the financial penalty, Blackbaud needs to enforce data security enhancements to lower the risk of more cyberattacks and data breaches. The safety measures include stricter data security guidelines and procedures like network segmentation, tracking systems that contain personal information for suspicious actions, and setting up a response to alerts of suspicious activity.
Password security should be enhanced through password privacy and password rotation, or multifactor authentication. There must be a process for creating a database of backup files that contain personal data, for secure disposal of data no longer necessary, and for keeping personal data to the minimum required amount.
Blackbaud failed to safeguard consumers’ data and misinformed the public regarding the full effect of the data breach. This settlement will make sure that Blackbaud safeguards consumers’ data and improves security measures to avoid future data breaches.
Aside from this settlement with the California Attorney General, Blackbaud had made the following prior settlements:
- a $49.5 million settlement with 49 states and DC in September 2023
- a $3 million settlement with the Securities and Exchange Commission (SEC),
- a settlement with the Federal Trade Commission in May 2024 that required Blackbaud to remove all information no longer required by the company to offer its products and services.
Blackbaud is also facing lawsuits filed by individuals impacted by the data breach. A federal judge refused a class certification, but that does not mean the end of the litigation.