Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should
Blackbaud: The Behemoth Data Breach You Haven’t Heard About — But Should
Posted on behalf of Arnold Law Firm
on November 9, 2020 in Data Breach Updated on February 24, 2022
Amongst the flurry of recent data breaches, a few household names might catch your eye – such as Dickey’s BBQ or Kylie Cosmetics. However, some of the most pervasive and potentially damaging cybersecurity incidents remain largely under the public radar despite their massive reach.
The Blackbaud ransomware attack may prove to be one of the most extensive, complex data breaches of 2020, as the list of affected organizations (and individuals) continues to grow months after the incident was first discovered. One such recent addition is Stetson University.
What is Blackbaud, and Why are so Many Entities Involved?
Blackbaud is one of the world’s largest cloud-based technology vendors that provides services for nonprofits, foundations, corporations, educational institutions and healthcare organizations. Headquartered in Charleston, South Carolina, the company reports over 45,000 customers in over 100 countries, including the United States, the United Kingdom, Australia and Canada. Its market capitalization is $3.2 billion on reported revenue of $908 million.
What Happened?
On May 20, 2020, Blackbaud discovered a hack on its self-hosted environment that allowed the theft of sensitive personal information of client donors, potential donors, patients, community members with relationships with entities and other individuals tied to affected organizations. The security incident began on February 7, 2020 and continued until it was discovered in May.
In mid-August, Blackbaud began notifying clients that were impacted by the ransomware attack. Initially, the vendor claimed that highly confidential data, such as banking information, was not at risk. However, further forensic investigation suggested otherwise for some customers. Blackbaud began updating affected clients of this development on September 27, 2020.
Compromised data varies by entity and collectively includes:
Names
Phone numbers
Addresses
Birthdates
Donation history
Events attended
Bank account information
Credentials
Social Security numbers (SSN)
Usernames
Passwords
Provider names
Dates of service
Blackbaud reportedly paid the ransom demand and claims to have obtained confirmation that the stolen data has been destroyed. Unfortunately, according to industry experts, ransomware actors generally cannot be relied on to destroy data as promised, so exposed personal information may still lead to further security issues, including identity theft and fraud.
Who was Affected?
It is unknown how many of Blackbaud’s 45,000 non-profit and government customers were impacted. The largest known client involved in the breach is Inova Health System in Virginia with 1.05 million individuals affected.
Blackbaud clients who have released public statements and/or formal notices of data breach include:
American Red Cross
Atrium Health
Berkshire Farm Center & Services for Youth, Inc.
Burke Rehabilitation Hospital
Cancer Research Institute
Children’s Hospital of Pittsburgh Foundation
Corning Glass Museum of Glass, New York
Devereux Advanced Behavioral Health
Enloe Medical Center
Feed More, Virginia
George W. Bush Presidential Center
Guthrie Clinic
Harvard University
Human Rights Watch
Inova Health System, Virginia
Joslin Diabetes Center
Main Line Health
March of Dimes
Middlebury College, Vermont
Montefiore Medical Center
MultiCare Foundation
New College of Florida
Northern Light Foundation, Maine
NorthShore University Health System, Illinois
Northwest Immigrant Rights Project
Northwestern Memorial HealthCare
Parrish Art Museum, New York
Planned Parenthood
Prelude Behavior Services
Rady Children’s Hospital, San Diego
Rhode Island School of Design
Roper St. Francis Healthcare
Saint Luke’s Foundation
St. Joseph School
Smithsonian Institution
Spectrum Health
Stetson University
The Boy Scouts of America
The Christ Hospital Health Network
Trinity Health
University of Kentucky HealthCare
University of North Florida
Vermont Foodbank
Vermont Public Radio
West Virginia University
White Plains Hospital
Legal Action
In response to the massive data breach, at least 10 separate class-action lawsuits have been filed against Blackbaud, including in the U.S. District Court of South Carolina, the U.S. District Court Western District of Washington and the California Central District Court. A motion has been filed to consolidate these lawsuits into one.
How do I join a class action suit?
If you received a NOTICE OF DATA BREACH for one of these data breaches and a class action lawsuit has been filed, you will be included automatically in the class unless you opt-out and no further action will be required by you. Class members have a passive role throughout class action litigation. If the lawsuit is successful, all class members receive equal compensation which is awarded to all class members, regardless of the degree of harm they suffered.
I really love that law firm. They were on their job. They took care of me very well, and I highly recommend that law firm for any of your doings. I just wanna thank Josh and his crew for helping me all that they have. Done for me and my family.
Thank you to the Staff at Arnold Law Firm! This was my 3rd time using their services for different needs. Each time has been a smooth, honest and professional experience. They have provided me with guidance & consulting services to reach a positive outcome. Each time I have been pleasantly surprised! Thank you Arnold Law Firm! 🤗
A very special Thank You to Sal, Dominic & Jeff! 🤗🤗🤗
They always keep me up to date on my case. I also felt it was done in a timely manner!
Arnold Law firm provided me with an amazing experience. They were super communicative and assisted me with any needs or questions that I had during my journey to recovery and through financial hardship due to my car accident. I was hit by an uninsured motorist and would have been completely overwhelmed by all of the bills, paperwork, insurance nuances, and legal action needed. Jesus Garcia was an absolute pleasure to work with and I couldn’t be happier with the results.
Met with a lawyer who is taking care of my wife's potential lawsuit. He was nice and his assistant is really on top of things.I'd recommend them if you need representation. No upfront costs and reasonable expectations when suit is settled.