Settlement reached with software company Blackbaud after multiple data breaches impact schools, hospitals and nonprofits

A national settlement with the software company Blackbaud for “deficient data-security practices and deficient response to a 2020 ransomware event” shows the company would pay a total of $49.5 million with Minnesota receiving $780,273.

A news release from Attorney General Keith Ellison’s Office said the data breach exposed the personal information of millions of Americans. As part of the settlement, Blackbaud agreed to overhaul its data security and breach-notification practices in addition to payouts for all 50 states in the U.S.

The company provided software services to Children’s Minnesota Hospital and the nonprofit Como Friends.

RELATED: Como Friends warns donors of data breach

The software was used to connect with donors and manage data about their constituents.

RELATED: Limited Children’s Minnesota patient, donor data may have been breached

The 2020 breach impacted at least 13,000 Blackbaud customers and their constituents, with 400 TB of data containing Social Security numbers, driver’s license numbers, payment card information, employment, donation history and protected health information reported stolen.

Investigators found the breach began in January of 2020 and was discovered by Blackbaud by at least May 2020, but wasn’t announced until at least two months later in July 2020.

The news release states that when the company first notified customers, Blackbaud did not accurately convey the scope or severity of the breach and did not tell customers what information was compromised. This prevented customers from taking the steps necessary to protect themselves and their constituents.

The AG’s office adds that the company’s marketing misled customers into thinking they had strong data-security practices while they were “woefully deficient.”

Blackbaud also agreed to the following terms under the settlement:

  • Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach-notification requirements under state law and HIPAA. 
  • Implementation and maintenance of incident- and breach-response plans to prepare for and more appropriately respond to future security incidents and breaches. 
  • Breach-notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach. 
  • Security-incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity. 
  • Personal information safeguards and controls requiring total database encryption and dark web monitoring.  
  • Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing. 
  • Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.  

The company was accused of violating state consumer protection laws, breach-notification laws and HIPAA.

AG Ellison released the following statement in response to the settlement, which can be found by CLICKING HERE, as well as at the bottom of this article:

“This incident reflects one of the worst responses to a data breach I have seen to date. Businesses that collect personal data need to both ensure that data is protected and respond appropriately to notify consumers if a data breach occurs. Blackbaud failed on both counts and put their customers at risk of financial and identity theft, breaches of privacy, and more in the process. This settlement reflects our commitment to holding companies accountable when they do not adequately protect Minnesota consumer data.”

Attorney General Keith Ellison