Last week, 49 state attorneys general announced a $49.5 million settlement with Blackbaud, Inc.  (Blackbaud) over the software company’s data-security practices and its response to a breach in 2020 that exposed the personal information of millions of individuals.

Blackbaud provides software solutions to nonprofit organizations, including charities, schools and healthcare agencies, to help them connect with donors and manage data about their constituencies. The data consists of demographic information, Social Security numbers, driver’s license numbers, financial data, employment and wealth information, donation histories and protected health information.

Specifically, the settlement pertains to a 2020 ransomware breach perpetuated by a criminal ransomware group exposing highly sensitive information of more than 13,000 Blackbaud customers, which are mostly charities and non-profits. The breach exposed those organizations’ sensitive information, including personal information related to their donor bases and program participants. Blackbaud complied with the attackers' demand for ransom after being told that all the stolen data was destroyed.

The settlement resolves allegations from the state attorneys general that Blackbaud violated state consumer protection laws, breach-notification laws and the Health Insurance Portability and Accountability Act (HIPAA). The alleged violations stemmed in part from the company’s failure to establish reasonable data security and remediate the known security gaps, allowing unauthorized individuals to gain access to Blackbaud’s network.

It was further alleged that Blackbaud failed to promptly, completely or accurately inform its customers about the breach, as required by law. The states claim those lapses significantly delayed the process of notifying those whose personal information was compromised, and, in some cases, there was no notification at all. This comes hard on the heels of Blackbaud’s $3 million settlement with the Securities and Exchange Commission in March of 2023, resolving multiple alleged violations of the Securities Act of 1933 arising from Blackbaud’s allegedly incomplete disclosures related to the same ransomware incident.

Under the settlement, Blackbaud must, among other requirements:

• Refrain from misrepresenting details of : (1) its processing, storing and safeguarding of personal information; (2) the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and (3) breach notification requirements under state law and HIPAA.
• Implement and maintain a breach response plan to ensure an appropriate response to any future security incident or breach.
• Establish breach-notification provisions that, in the event of a breach, require Blackbaud to provide appropriate assistance to its customers and support its customer compliance with applicable notification requirements.
• Report security incidents to its CEO and board, provide enhanced employee training and earmark appropriate resources and support for cybersecurity.
• Implement personal information safeguards and controls requiring total database encryption and dark web monitoring.
• Enable specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring and penetration testing.
• Allow third-party assessments of its compliance with the settlement for seven years.

The settlement agreement is available here.

This case serves as another example that companies, including HIPAA covered entities, should carefully review the information security policies of their vendors and business associates to ensure compliance with applicable law, including the HIPAA Privacy and Security Rules. Companies that serve as business associates, or handle sensitive information must also have the proper protocol in place to ensure this information is protected.