Fraud Management & Cybercrime , Healthcare , Industry Specific

Judge Denies Class Certification in Blackbaud Hack Lawsuit

2020 Attack Affected 13,000 Blackbaud Clients, 1.5 Billion of Their 'Constituents'
Judge Denies Class Certification in Blackbaud Hack Lawsuit
Consolidated class action litigation against Blackbaud alleges that data for 1.5 billion individuals was affected in a 2020 attack against the South Carolina-based software vendor. (Image: Blackbaud)

A federal judge has denied class certification in consolidated proposed class action litigation against Blackbaud stemming from the cloud-based fundraising software vendor's 2020 ransomware attack that affected 13,000 clients and compromised data of about 1.5 billion donors, patients and other individuals.

See Also: VMware Carbon Black App Control

In his ruling Tuesday, U.S. District Court Judge Joseph Anderson for the U.S. District Court of South Carolina said he was denying certification because plaintiffs failed to demonstrate that the proposed class and subclasses were "ascertainable."

The case is the consolidation of more than two dozen proposed class action lawsuits filed against South Carolina-based Blackbaud in the wake of the breach.

The lawsuit's proposed classes includes "nationwide negligence and gross negligence classes under Massachusetts common law for all natural persons residing in the U.S." whose unencrypted information was stored in the database compromised in the attack, as well as four subclasses, including one each for affected residents living in New York or Florida, and two for residents residing in California.

The plaintiffs in the case failed to show an "administratively feasible" way for the court to determine whether a particular individual is a class member without extensive and individualized fact-finding, the judge said.

"This court denies plaintiffs' motion for class certification because of plaintiffs' failure to meet their burden of proof as to ascertainability," Anderson said.

Attorneys representing the plaintiffs in the litigation did not immediately respond to Information Security Media Group's requests for comment on the ruling and what's potentially next in their case.

Attorney Ron Raether, a partner at law firm Troutman Pepper, which is representing Blackbaud in the case, told ISMG in a statement: "We are pleased with the district court's thorough and well-reasoned opinion. We look forward to continuing to represent Blackbaud's interests in subsequent phases of the litigation."

Breach Details

Anderson in his ruling said that between Feb.7 and May 20, 2020, unknown threat actors infiltrated some of Blackbaud's data centers that are located in Massachusetts. The attackers initially accessed Blackbaud's remote desktop environment by using a compromised customer account and then gained widespread access to the company's data centers.

"Plaintiffs allege that over 400 terabytes of data was successfully exfiltrated, and the threat actors subsequently demanded that Defendant pay a ransom in exchange for their deletion of the data. Defendant paid the ransom, but it never received any proof that the data had been deleted," the court document says.

Anderson said that the amended complaint in the consolidated case alleges that the breach was able to occur and remain undetected for months because Blackbaud did not have adequate safeguards in place to prevent the breach. "Plaintiffs also criticize Defendant's remediation efforts after discovering the breach, contending that its response was negligent and misleading," he said.

"Accordingly, plaintiffs contend that putative class members' data remains susceptible to misuse and is actively being marketed on the dark web," the ruling says.

"Approximately 90,000 backup files belonging to 13,000 Blackbaud customers and containing data belonging to approximately 1.5 billion constituents were impacted by the breach."

Blackbaud at the time of the incident provided customers with varying combinations of 11 separate products, court documents said.

"Defendant's customers can customize these products once they purchase them, and its customers have ultimate control over the data that is stored using these products, how it is stored, whether encrypted fields are used as designed by defendant, and whether a product is customized to suit a given customer's specific needs," the court document says.

"As a result of the data breach, nearly 90,000 backup files containing data belonging to 13,000 customers were accessed. In other words, the threat actors accessed a slew of customer backup files during the breach, as opposed to the 'live' databases that Defendant also maintains," plaintiffs allege in the document.

In their consolidated lawsuit, plaintiffs represent a putative class of individuals - or "constituents" - whose data was provided to Blackbaud customers and was ultimately hosted by Blackbaud, Anderson said in his ruling.

"The plaintiffs' lawsuit asserts that their personally identifiable information and protected health information were compromised when threat actors successfully infiltrated Defendant's systems."

More Trouble

Blackbaud has already faced several enforcement actions, including settlements and fines, by federal and state government regulators in the wake of the incident.

In February, the Federal Trade Commission ordered South Carolina-based Blackbaud to delete personal data that is no longer needed and to implement a long list of security improvements in the wake of the hack.

The FTC cited Blackbaud for a number of FTC Act violations, including deceptive breach notification statements and deceptive statements about its information security practices (see: FTC Blasts Blackbaud's Shoddy Practices in Ransomware Hack).

The FTC said unencrypted information compromised in the Blackbaud incident included name, age, birthdate, Social Security number, home address, phone number, email address and financial information - including bank account information, estimated wealth and identified assets.

Medical information for millions of individuals was also compromised in the hack, including patient and medical record identifiers, treating physician names, health insurance information, medical visit dates, reasons for seeking medical treatment, gender, religious beliefs, marital status, spouse names, spouses' donation history, employment information - including salary, educational information and account credentials, the FTC said.

Last fall, Blackbaud agreed to pay $49.5 million to settle an investigation by the attorneys general of 48 states, plus the District of Columbia, into the company's data security practices in the wake of the ransomware attack (see: Blackbaud Pays $49.5M to Settle With State AGs in Breach).

Like the FTC's order against Blackbaud, that multistate settlement required the company to implement data security improvements. They included network segmentation, encryption, patch management, reporting of security incidents to its CEO and board, and a pledge to refrain from misrepresenting details of its data security practices.

In March 2023, the U.S. Securities and Exchange Commission ordered Blackbaud to pay a $3 million civil penalty after regulators had determined that the company filed an August 2020 quarterly report that omitted facts about its cybersecurity incident by not disclosing that hackers had obtained unencrypted bank account and Social Security numbers (see: Blackbaud to Pay $3 Million Over 'Erroneous' Breach Details).

But U.S. federal and state regulators aren't the only government entities taking action against Blackbaud. Britain's Information Commissioner's Office reprimanded the company in September 2021 without levying a fine. Reprimands typically detail the ways in which the privacy watchdog thinks an organization has violated the U.K.'s General Data Protection Regulation and make recommendations for addressing these shortcomings.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.