Blackbaud settles for $6.75 million over data breach violations

South Carolina-based company Blackbaud, which provides data management software for nonprofit organizations, has agreed to a $6.75 million settlement to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) and California’s data privacy laws stemming from a significant data breach in 2020 that exposed sensitive information, including names, Social Security numbers, bank account details, and medical records.

The breach, initially disclosed by Blackbaud in May 2020, was later found to be more severe than first reported. Although the company initially claimed that no personal data had been accessed, it was later confirmed that consumer information had been compromised. Additionally, Blackbaud was criticized for failing to promptly notify affected individuals.

The California Department of Justice investigation revealed that hackers accessed Blackbaud’s internal systems and remained undetected for three months. The investigation highlighted several security lapses, including inadequate monitoring for suspicious activity, failure to implement multifactor authentication, and outdated security practices. Furthermore, Blackbaud was found to have made deceptive statements about its security protocols and the extent of the breach and to have retained data longer than necessary, even for clients no longer using its services.

California Attorney General Rob Bonta announced the settlement on June 13, 2024, emphasizing the importance of the agreement in strengthening data security measures. As part of the settlement, Blackbaud is required to enhance its data security practices, including network segmentation, improved monitoring of systems containing personal data, and ensuring prompt responses to suspicious activity. The company must implement stricter password security policies and securely dispose of outdated database backup files.

Attorney General Bonta stated, “Not only did Blackbaud fail to protect consumers’ personal information, but they misled the public of the full impact of the data breach. This is simply unacceptable. Today’s settlement will ensure that Blackbaud prioritizes safeguarding consumers’ personal information and enhances security measures to prevent future incidents.”

This settlement follows a series of legal actions against Blackbaud over the data breach. In September 2023, the company agreed to a $49.5 million settlement with 49 states and the District of Columbia. It also settled with the Securities and Exchange Commission for $3 million and reached an agreement with the Federal Trade Commission in May 2024, requiring the deletion of unnecessary data. Blackbaud faces ongoing litigation from individuals affected by the breach despite a federal judge denying class certification.