The guardian of a young patient whose personal information was compromised in last year’s massive Blackbaud data breach has sued the nonprofit Rady Children’s Hospital over the incident.
The ransomware attack, which was first disclosed in July, exposed the personal information of millions of people whose data was held by nonprofit clients of the software provider. The San Diego hospital uses Blackbaud as its database vendor.
According to the lawsuit, filed in federal court in California, patient names, addresses, dates of birth; the names of patients’ physicians; and the hospital department visited by the patients were exposed during the cyberattack. The class-action complaint accuses the health-care provider of negligence, invasion of privacy, and breach of implied contract, in addition to violating California’s consumer privacy protection and medical-information laws.
More Than 2 Dozen Lawsuits
Sometime from February to May 2020, a cybercriminal was able to access personal donor and constituent information from a backup server storing data from an unknown number of Blackbaud clients. The company paid a ransom to encourage the hacker to destroy the copy of the stolen data, “with confirmation that the copy they removed had been destroyed,” according to the company’s statement.
But Blackbaud has provided no additional information to reassure nonprofits and their supporters that their information hasn’t spread beyond the criminal. The company has said that bank details and credit-card and Social Security numbers were not compromised during the breach, but several nonprofits have said that some sensitive information was accessed.
More than two dozen lawsuits have been filed against the software provider. In December, the Judicial Panel on Multidistrict Litigation consolidated many of those federal cases.
But this is not the first suit targeting a nonprofit affected by the Blackbaud breach. A lawsuit filed in September named institutions including Harvard University, Bank Street College of Education, and the Lower East Side Tenement Museum as defendants.
Rady Children’s Hospital has faced several data breaches in recent years, including one earlier in 2020, according to the lawsuit. “If [the] defendant truly understood the importance of safeguarding its patients’ medical information, it would acknowledge its responsibility for the harm it has caused and would compensate them, provide long-term protection, agree to court-ordered and enforceable changes to its cybersecurity policies and procedures, and adopt regular and intensive training to ensure that a data breach like this never happens again.”
