Impacted Clients, Lawsuits Pile Up; SEC Filing Provides Incident Details
As the list of customers reporting data breaches tied to the May ransomware attack on Blackbaud continues to surge, and related legal actions against the company grow, the cloud-based fundraising software vendor recently told Wall Street that it expects cyber insurance to cover the bulk of its costs associated with the incident.
During an Oct. 30 call with financial analysts to discuss the Charleston, South Carolina-based vendor’s third quarter earnings, Blackbaud executives also said the company has fixed a weakness in one of its older products linked to the cyber incident.
“Through our forensics investigation, we were able to understand exactly how this [cyberattack] occurred and we’ve remediated the vulnerability, which was tied to one of our early generation products,” Michael Gianoni, Blackbaud president and CEO told analysts, according to a transcript of the call.
The company is “incorporating lessons learned from this incident to continue improving on our cybersecurity program and further harden our environments while being transparent with our customers on our progress,” Gianoni told the financial analysts.
“These types of cyber threats are on the rise, and over the last several years Blackbaud has invested significantly in terms of dollars, and human resources to enhance our cyber security program and preparation for an attack like this.”
Growing List of Victims
Blackbaud did not immediately respond to Information Security Media Group’s request for details regarding the “early generation product” that contained the security vulnerability leading to the incident.
Blackbaud also declined ISMG’s request for information regarding its customers, including those in the healthcare sector, impacted by the incident.
“We aren’t disclosing the total number of customers – or any segment – involved in the incident, and we cannot provide the names of those who were part of this incident nor can we discuss any customer specifically,” Blackbaud told ISMG in a statement. “Those customers which were part of this incident have been notified.”
However, to date, based on data breach notifications and other disclosures, at least 250 U.S.-based organizations – including healthcare entities, educational institutions and non-profits – were impacted by the Blackbaud incident, says Jim Van Dyke, CEO and founder of security firm Breach Clarity.
A snapshot on Tuesday of the Department of Health and Human Services’ HIPAA Breach Reporting Tool website – along with notification statements issued by the breached entities – shows that at least four dozen healthcare sector organizations were affected by the Blackbaud hacking incident.
The HHS website lists HIPAA breaches impacting 500 or more individuals.
In total, the website indicates that Blackbaud-related healthcare sector breaches have affected about 10 million individuals.
But it was not just U.S. based entities impacted by the incident. Other victims of the Blackbaud attack also include organizations in Canada, Europe and New Zealand (see: Blackbaud’s Bizarre Ransomware Attack Notification).
“Organizations that suffered breaches of their data via service provider Blackbaud had a wide variety of personal victim data exposed, and it could be quite a while before all legal and other costs are settled.”
—Jim Van Dyke, Breach Clarity
“Organizations that suffered breaches of their data via service provider Blackbaud had a wide variety of personal victim data exposed, and it could be quite a while before all legal and other costs are settled,” Van Dyke says. “Notably, the breaches exposed a wide variety of personal data, each with unique predicted risks and prescribed action steps.”
But in the recent earnings call with financial analysts, Blackbaud executives appeared confident that the company’s insurers would cover most of the costs associated with the incident.
“We have good insurance in place – our insurers are working with us very closely. The key there is coordinating with them and make sure we’re clear on what they’re covering or not going to cover,” Anthony Boor, Blackbaud chief financial officer, told the analysts.
“At this point … we believe insurance is going to cover the majority of it, other than our internal resources and time. … The big thing, I think that you’ll see probably in our numbers is just our continued investment in our cybersecurity resources internally,” Boor says.
Blackbaud’s 10-K filing with the U.S. Securities and Exchange Commission for the third quarter ended Sept. 30, shows that the company reported total revenue was $215 million, down 2.8% from the same period in 2019, and net income of $4.9 million, up less than 1% from the same quarter last year.
But the filing also provides a look at the expenses that Blackbaud has laid out so far in the wake of the incident, as the company awaits reimbursement from its insurers.
During the quarter, Blackbaud says it recorded $3.2 million of expenses and $2.9 million of accrued insurance recoveries related to the security incident. For the nine months ended Sept. 30, the company recorded $3.6 million of expenses and $2.9 million of accrued insurance recoveries related to the security Incident.
“Recorded expenses consisted primarily of payments to third-party service providers and consultants, including legal fees, and enhancements to our cybersecurity measures,” the company’s SEC filing notes.
“Due to the time required to submit and process such insurance claims, we have not yet received any of the accrued insurance recoveries,” the company notes.
“We expect to continue to experience increased costs related to our response to the security Incident and our efforts to further enhance our security measures,” the company’s filing notes.
Blackbaud is also facing a number of lawsuits and regulatory investigations related to the security incident that “in the future that might result in adverse judgments, settlements, fines, penalties, or other resolution,” the company’s quarterly filing with the SEC notes.
“Although we carry insurance policies that we believe will provide coverage for a significant portion of our current and expected future losses and expenses related to the security incident, there can be no assurance that they will do so.”
To date, Blackbaud has received approximately 160 legal claims from customers or their attorneys in the U.S., U.K. and Canada related to the cyber incident, the company notes.
In addition, the company currently faces 23 punitive consumer class actions, including 17 in U.S. federal courts, four in U.S. state courts and two in Canadian courts, each alleging harm from the security incident, Blackbaud says in its SEC filing (see Blackbaud Ransomware Breach Victims, Lawsuits Pile Up).
“Lawsuits that are putative class actions require a plaintiff to satisfy a number of procedural requirements before proceeding to trial. … As a result of these uncertainties, we may be unable to determine the probability of loss until, or after, a court has finally determined that a plaintiff has satisfied the applicable class action procedural requirements.”
“Obviously, we got these guys in the midst of their efforts – they weren’t able to take over our systems … but it’s still going to be painful to work through.”
—Anthony Boor, Blackbaud
Besides the lawsuits, Blackbaud notes that it is facing a variety of governmental inquiries related to the incident.
So far that includes a consolidated, civil investigation into the security incident by 43 U.S. state attorneys general, plus the District of Columbia; as well as inquiries by the U.S. Federal Trade Commission and HHS.
Internationally, Blackbaud also says it faces inquiries from the Information Commissioner’s Office in the U.K. under the U.K. Data Protection Act 2018, the Office of the Australian Information Commissioner and the Office of the Privacy Commissioner of Canada.
“We are cooperating with these offices and responding to their inquiries,” Blackbaud says in the SEC filing.
Blackbaud also acknowledged in its breach notification that it paid an undisclosed ransom to cybercriminals in exchange for them ensuring that any copies of the data stolen were destroyed.
“After discovering the attack, our cybersecurity team – together with independent forensics experts and law enforcement – successfully prevented the cybercriminal from blocking our system access and fully encrypting files and ultimately expelled them from our system,” the notification said. (See: Questions Persist About Ransomware Attack on Blackbaud).
However, in a form 8-K Blackbaud filed with the SEC in September, the company said its forensic investigation found that for some of the notified customers, “the cybercriminals may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords.” (See: Blackbaud: Hackers May Have Accessed Banking Details).
But during the analyst call last week, Blackbaud CFO Boor said the company did a “great job” containing the incident.
“Obviously, we got these guys in the midst of their efforts – they weren’t able to take over our systems, but I think that was great, but it’s still going to be painful to work through, but there’ll be plenty of disclosure on the topic in the financials and we will certainly build any estimated cost we would incur into the 2021 plan,” he said.
Based on the investigation into the incident so far, “we have no reason to believe that any data went beyond the cybercriminal, was or will be misused, or will be disseminated or otherwise made available publicly,” Blackbaud says in its quarterly filing. “Our investigation into the security incident by our cybersecurity team and third-party forensic advisors remains ongoing.”
Meanwhile the list of healthcare organizations impacted by the incident continues to grows.
Among the most recently added Blackbaud-related incidents posted to the HHS Office for Civil Rights’ tally of major HIPAA breaches are reports filed by:
- Florida based Moffitt Cancer Center, with nearly 96,000 individuals affected;
- Illinois-based OSF HealthCare System with about 94,200 individuals impacted;
- Pennsylvania-based Geisinger with more than 86,400 individuals impacted.
So far the largest health data breach related to the Blackbaud incident was reported by Virginia-based Inova Health System in September, with more than 1 million individuals affected (see: Tally of Those Affected by Blackbaud Hack Soars).