In May 2020, the cloud software corporation Blackbaud encountered a ransomware attack. As is typical in human-operated ransomware attacks, the attackers exfiltrated files before file encryption. A few of the stolen data files included the fundraising listings of its healthcare clients.
Rady Children’s Hospital located in San Diego is one of the healthcare companies affected. It is California’s biggest children’s hospital with regard to admissions. A presented class-action lawsuit alleges that Rady was at fault for being unable to secure the sensitive information of 19,788 persons which the hackers acquired via Blackbaud’s donor management software program.
The lawsuit claims Rady did not use enough security measures and didn’t make sure Blackbaud had sufficient security measures ready to safeguard ePHI and make sure it stayed confidential. The lawsuit claims those impacted by the breach are experiencing a forthcoming, immediate, extensive, and continuing increased threat of identity theft and scam because of the breach and Rady’s fault.
Blackbaud uncovered the ransomware attack last May 2020. The investigation showed the hackers acquired access to the fundraising listings of its healthcare customers between February 7 and June 4, 2020. Blackbaud claimed the hackers were removed from the network the minute the breach was identified however, had uncovered that the hackers obtained a part of client files.
Blackbaud decided to give the ransom payment to make certain the stolen files were deleted. The attackers gave guarantees that the records were completely destroyed. Rady sent breach notification letters mentioning that the types of details possibly acquired by the attackers contained patients’ names, dates of birth, addresses, physicians’ names, and the division that offered the healthcare services.
The lawsuit states Rady could not reasonably say that the attackers destroyed the personal data of the plaintiffs. Based on the complaint, Blackbaud did not give proof or more information relating to the disposition of the information to affirm that the stolen records were deleted. The lawsuit furthermore claims neither Rady nor Blackbaud understood how the attackers exfiltrated files, and whether it was sent securely and whether it was intercepted by other people.
As per the lawsuit, Rady had the needed solutions to secure patient data yet took for granted the implementation of proper safety measures. The plaintiffs want compensation, extended security against identity theft and fraud, and also a court order to implement improvements to Rady’s security guidelines to be sure breaches like this, and many others specified in the report, don’t take place once more.
Blackbaud is additionally confronting a number of class action lawsuits connected with the breach. About 23 putative class-action lawsuits had been filed against Blackbaud based on its 2020 Quarter 3 Filing with the U.S. Securities and Exchange Commission. The lawsuits were submitted in 17 federal courts, 4 state courts, and 2 Canadian courts. Each one states that breach victims have endured harm due to the stealing of their personal information.
Blackbaud furthermore mentioned receiving above 160 claims from its clients and their legal representatives in Canada, the U.K. and U.S. Blackbaud is likewise under investigation by government bureaus and regulators, like 43 state Attorneys General and the District of Columbia, Federal Trade Commission, the Office Of The Privacy Commissioner Of Canada Department Of Health And Human Services, and the Information Commissioner’s Office The U K Gdpr Data Protection Authority.