Blackbaud May 2020 Data Breach and Ransomware Attack Illinois Class Action

Blackbaud, Inc. serves clients like schools, hospitals, and nonprofits, managing, maintaining, and securing their data and servers. In May 2020, it announced it had been the victim of a ransomware attack and data breach, exposing the private information and even private health information of its clients’ students, patients, and donors. This complaint alleges that Blackbaud had inadequate safeguards to prevent the attacks, among other things.

The class for this action is all persons in Illinois whose private information and private health information were compromised in the February through May 2020 data breach described by Blackbaud at www.blackbaud.com/securityincident.

The complaint claims that the ransomware attack “began in February of 2020 and continued for approximately three months until it stopped in May of 2020. Blackbaud only discovered the vulnerability only in May 2020.

Blackbaud’s statements claimed, “After discovering the attack, our Cyber Security team—together with independent forensics experts and law enforcement—successfully prevented the cybercriminal from blocking our system access and fully encrypting files; and ultimately expelled them from our system.” However, it admitted that “[p]rior to our locking the cybercriminal out, the cybercriminal removed a copy of a subset of data from our self-hosted environment.”

The information exposed in the data breach included Social Security numbers, credit card information, bank account numbers, personal health information (PHI), and other personally identifiable information (PII) that could be used for identity theft. The complaint alleges that Blackbaud “maintained and secured the Private Information and PHI in a reckless manner, including, inter alia, failing to safeguard against ransomware attacks.”

The complaint also asserts, “Upon information and belief, the mechanism of the cyberattack and potential for improper disclosure of … Private Information and PHI was a known risk to [Blackbaud], and thus [Blackbaud] was on notice that failing to take steps necessary to secure the Private Information and PHI form those risks left that property in a dangerous condition.”

The complaint faults Blackbaud for a number of things:

  • For not properly safeguarding the information of its customers.
  • For not giving its customers “timely and adequate notice” of the data breach.
  • For not identifying all information that was accessed in the data breach.
  • For not giving its customers any redress for the data breach.

The complaint alleges that Blackbaud “did not have sufficient process or policies in place to prevent such cyberattack, which is evident by its own statements that it has ‘already implemented changes to prevent this specific issue from happening again.’”

The counts include negligence, breach of express and implied contract, and negligence per se.

Article Type: Lawsuit
Topic: Privacy

Most Recent Case Event

Blackbaud May 2020 Data Breach and Ransomware Attack Illinois Complaint

September 28, 2020

Blackbaud, Inc. serves clients like schools, hospitals, and nonprofits, managing, maintaining, and securing their data and servers. In May 2020, it announced it had been the victim of a ransomware attack and data breach, exposing the private information and even private health information of its clients’ students, patients, and donors. This complaint alleges that Blackbaud had inadequate safeguards to prevent the attacks, among other things.

Blackbaud May 2020 Data Breach and Ransomware Attack Illinois Complaint

Case Event History

Blackbaud May 2020 Data Breach and Ransomware Attack Illinois Complaint

September 28, 2020

Blackbaud, Inc. serves clients like schools, hospitals, and nonprofits, managing, maintaining, and securing their data and servers. In May 2020, it announced it had been the victim of a ransomware attack and data breach, exposing the private information and even private health information of its clients’ students, patients, and donors. This complaint alleges that Blackbaud had inadequate safeguards to prevent the attacks, among other things.

Blackbaud May 2020 Data Breach and Ransomware Attack Illinois Complaint
Tags: Exposing Private Information, Exposure to cyber crime, Ransomware Attack