Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should
Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should
Posted on behalf of Arnold Law Firm
on November 9, 2020 in Data Breach Updated on February 24, 2022
Amongst the flurry of recent data breaches, a few household names might catch your eye – such as Dickey’s BBQ or Kylie Cosmetics. However, some of the most pervasive and potentially damaging cybersecurity incidents remain largely under the public radar despite their massive reach.
The Blackbaud ransomware attack may prove to be one of the most extensive, complex data breaches of 2020, as the list of affected organizations (and individuals) continues to grow months after the incident was first discovered. One such recent addition is Stetson University.
What is Blackbaud, and Why are so Many Entities Involved?
Blackbaud is one of the world’s largest cloud-based technology vendors that provides services for nonprofits, foundations, corporations, educational institutions and healthcare organizations. Headquartered in Charleston, South Carolina, the company reports over 45,000 customers in over 100 countries, including the United States, the United Kingdom, Australia and Canada. Its market capitalization is $3.2 billion on reported revenue of $908 million.
What Happened?
On May 20, 2020, Blackbaud discovered a hack on its self-hosted environment that allowed the theft of sensitive personal information of client donors, potential donors, patients, community members with relationships with entities and other individuals tied to affected organizations. The security incident began on February 7, 2020 and continued until it was discovered in May.
In mid-August, Blackbaud began notifying clients that were impacted by the ransomware attack. Initially, the vendor claimed that highly confidential data, such as banking information, was not at risk. However, further forensic investigation suggested otherwise for some customers. Blackbaud began updating affected clients of this development on September 27, 2020.
Compromised data varies by entity and collectively includes:
Names
Phone numbers
Addresses
Birthdates
Donation history
Events attended
Bank account information
Credentials
Social Security numbers (SSN)
Usernames
Passwords
Provider names
Dates of service
Blackbaud reportedly paid the ransom demand and claims to have obtained confirmation that the stolen data has been destroyed. Unfortunately, according to industry experts, ransomware actors generally cannot be relied on to destroy data as promised, so exposed personal information may still lead to further security issues, including identity theft and fraud.
Who was Affected?
It is unknown how many of Blackbaud’s 45,000 non-profit and government customers were impacted. The largest known client involved in the breach is Inova Health System in Virginia with 1.05 million individuals affected.
Blackbaud clients who have released public statements and/or formal notices of data breach include:
American Red Cross
Atrium Health
Berkshire Farm Center & Services for Youth, Inc.
Burke Rehabilitation Hospital
Cancer Research Institute
Children’s Hospital of Pittsburgh Foundation
Corning Glass Museum of Glass, New York
Devereux Advanced Behavioral Health
Enloe Medical Center
Feed More, Virginia
George W. Bush Presidential Center
Guthrie Clinic
Harvard University
Human Rights Watch
Inova Health System, Virginia
Joslin Diabetes Center
Main Line Health
March of Dimes
Middlebury College, Vermont
Montefiore Medical Center
MultiCare Foundation
New College of Florida
Northern Light Foundation, Maine
NorthShore University Health System, Illinois
Northwest Immigrant Rights Project
Northwestern Memorial HealthCare
Parrish Art Museum, New York
Planned Parenthood
Prelude Behavior Services
Rady Children’s Hospital, San Diego
Rhode Island School of Design
Roper St. Francis Healthcare
Saint Luke’s Foundation
St. Joseph School
Smithsonian Institution
Spectrum Health
Stetson University
The Boy Scouts of America
The Christ Hospital Health Network
Trinity Health
University of Kentucky HealthCare
University of North Florida
Vermont Foodbank
Vermont Public Radio
West Virginia University
White Plains Hospital
Legal Action
In response to the massive data breach, at least 10 separate class-action lawsuits have been filed against Blackbaud, including in the U.S. District Court of South Carolina, the U.S. District Court Western District of Washington and the California Central District Court. A motion has been filed to consolidate these lawsuits into one.
How do I join a class action suit?
If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.
After a drunk driver hit me I wasn’t really sure what to do. A friend of mine Highly Recommended Arnold Law Firm, what a great recommendation it has been! The staff from lawyers to assistants has been nothing short of amazing. Always are calling and emailing me to update what is going on with your case. A very nerve racking thing to deal with personal injury and what comes from it. But with Arnold Law Firm you can rest knowing they are fighting for every inch for you. Need a law office? Look no further!
This firm is a joy to work with, they really care about their clients. Mr. Minney and Deena were wonderful to work with.
I am very grateful for the services I got from Arnold Law Firm! Everyone was great! Stephanie was awesome! Her dedication and perseverance were admirable! She was the person behind the success of my claim! I truly appreciate her in particular, and Arnold Law Firm staff, in general!
So far, we are very happy with Arnold Law Firm and the personal service we have received by Dominic Sandaval. We are looking forward to continuing this relationship through the remainder of our law suit.
Thank you, Gilbert and Joanne Joseph
Not just legal experts, The Arnold Law Firm and my case manager Stephanie Baffoni genuinely cares about you.
The Arnold Law Firm has a proven track record of success fighting for their clients and I am very thankful to have them supporting me during a very challenging time. What I did not expect is the level of compassion, partnership, and trust Stephanie and the team strives to achieve in what could have been a purely transactional relationship.If you want to be treated like a person, not a number, and know someone is looking out for your best interests, then look no further.