AG Henry Announces $49.5 Million Multistate Settlement with Blackbaud for Data Breach that Impacted Millions of U.S. Consumers

October 5, 2023 | Topic: Consumers

HARRISBURG — Attorney General Henry announced that Pennsylvania joined 49 other Attorneys General in a settlement with software company, Blackbaud, for its flawed security practices and response to a 2020 data breach that impacted millions of consumers nationwide.

Blackbaud, which specializes in data management and outreach for nonprofits, healthcare and educational institutions, will pay $49.5 million — nearly $1.4 million to Pennsylvania — and has agreed to strengthen data security and breach notification protocols.

The settlement regards a ransomware hack event in 2020, when Blackbaud failed to immediately notify impacted consumers, and when they did, concealed the true scope and impact of the breach.

“Blackbaud’s response to this massive breach of information was unacceptable on nearly all fronts, with the company essentially staying silent for months and then minimizing the real impact to customers,” Attorney General Henry said. “The breach involved stolen social security numbers, health information, and other sensitive data, and consumers should have been informed right away.”

The breach impacted more than 13,000 organizations and entities, and in turn, many millions of those entities’ consumers.

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including, but not limited to:

  • Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA.
  • Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches.
  • Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach.

Indiana and Vermont co-led the multistate investigation, assisted by the Executive Committee consisting of Alabama, Arizona, Florida, Illinois, and New York, and joined by Alaska, Arkansas, Colorado, Connecticut, Delaware, District of Columbia, Georgia, Hawaii, Idaho, Iowa, Kansas, Kentucky, Louisiana, Maine, Maryland, Massachusetts, Michigan, Minnesota, Mississippi, Missouri, Montana, Nebraska, Nevada, New Hampshire, New Jersey, New Mexico, North Carolina, North Dakota, Ohio, Oklahoma, Oregon, Pennsylvania, Rhode Island, South Carolina, South Dakota, Tennessee, Texas, Utah, Virginia, Washington, West Virginia, Wisconsin, and Wyoming.

# # #