Blackbaud SEC Filing Provides Updated Information on Data Breach and Costs of Mitigation

The number of victims filing reports of being impacted by the Blackbaud ransomware attack and data breach has grown over the past couple of weeks. The Department of Health and Human Services’ Office for Civil Rights breach portal is continually being updated to log healthcare victims. The entities most recently added are OSF HealthCare System, Moffitt Cancer Center, and Geisinger. The three entities reported that the incident has affected a total of 276,600 people.

Although Blackbaud did not disclose the total number of affected individuals, about 250 healthcare providers, non-profits, and educational establishments are identified to have been affected. Reports of healthcare companies indicate that the breach impacted more than 10 million persons.

It is not surprising given that the breach costs suffered by organizations and the number of people who had their personal information exposed, Blackbaud is dealing with many class action lawsuits. At the least 23 proposed class action lawsuits were filed to date in the United States and Canada, as per its 2020 Q3 Quarterly Report submitted to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courst, 17 in the United States federal court, and 4 in state courts.

The lawsuits state that victims have sustained harm because of the breach and allege that there were a number of policies violations. Hence, the lawsuits are seeking damages, injunctive relief, and attorneys’ fees, and about 160 claims were gotten from Blackbaud’s customers from the United Kingdom, the U.S., and Canada.

In addition to the legal cases, regulators are investigating Blackbaud over data privacy laws violations. The investigating bodies include the Federal Trade Commission (FTC), the Department of Health and Human Services (HHS), and internationally by the United Kingdom’s Information Commissioner’s Office (ICO) and the Office of the Privacy Commissioner of Canada. Forty three state attorneys general and the District of Columbia also launched a joint investigation.

Based on the SEC filing, Blackbaud has already spent above $3.2 million in managing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That figure is canceled out by $2.9 million accrued in insurance recoveries between July and September.

Costs will continue to build up in the response to the breach and although those expenditures are most likely to be substantial. But Blackbaud believes its cyber insurance plan will cover the majority of the breach costs.

While the cyber insurance policies have already covered some of the expenses, there is no guarantee that the policies will pay for all expenditures. The probability of loss cannot be determined yet until a court has finally determined that a plaintiff has satisfied the appropriate class action procedural requirements.

In the discussion with financial analysts, Blackbaud revealed that the forensic investigation uncovered precisely how the hackers had gained access to its systems. The hackers exploited a flaw that was present in its early generation products that was already resolved and steps were already taken to fortify security. Blackbaud also explained that millions of dollar were put in cybersecurity and staff prior to the breach to be ready for such an attack.

Blackbaud had managed the ransomware attack however was not able to avoid the exfiltration of selected customer data. The company paid the ransom to avert data publication and believes that the payment held back any further data disclosures.