Blackbaud SEC Filing Gives Additional Details on Data Breach and Expenditures of Mitigation

The number of entities submitting reports of being impacted by the Blackbaud cyberattack and security breach has increased in the past few weeks. The Department of Health and Human Services’ Office for Civil Rights breach site is regularly being kept up to date to record healthcare victims. The entities lately included are OSF HealthCare System, Geisinger and Moffitt Cancer Center. The three organizations reported that the breach has affected a total of 276,600 persons.

Though Blackbaud did not reveal the total number of affected people, no less than 250 healthcare providers, nonprofits, and educational bodies are acknowledged to have been affected. Reports of healthcare companies reveal that the breach impacted over 10 million people.

It is not shocking considering that the breach costs sustained by companies and the number of persons who had their personal data compromised, Blackbaud is looking at a lot of class action lawsuits. About 23 proposed class-action lawsuits were filed thus far in the U.S and Canada, based on its 2020 Q3 Quarterly Report given to the U.S. Securities and Exchange Commission (SEC). Of all the lawsuits, 2 were submitted in Canadian courts, 17 in the United States federal court, and 4 in state courts.

The lawsuits assert that victims have suffered hurt due to the breach and claim that there were a few regulations violations. Hence, the lawsuits want damages, injunctive relief, and attorneys’ fees, and close to 160 claims were obtained from Blackbaud’s clients from the U.S., Canada, and the U.K.

Besides the legal cases, regulators are investigating Blackbaud in relation to violations of data privacy laws violations. The investigating organizations are the Federal Trade Commission, the Department of Health and Human Services, and globally by the UK’s Information Commissioner’s Office and the Office of the Privacy Commissioner of Canada. 43 state attorneys general and the District of Columbia likewise started a joint investigation.

As per the SEC records, Blackbaud has already sustained expenditures of more than $3.2 million in addressing the cyberattack from July to September 2020, and $3.6 million in expenses in the last 9 months. That number is countered by $2.9 million accumulated in insurance recoveries between July and September.

Costs is going to continue to accumulate in resolving the breach and though those expenditures are very likely to be sizeable. But Blackbaud says its cyber insurance protection will cover most of the breach costs.

While cyber insurance protection has actually paid for part of the expenses, there is no assurance that the plans will pay for all expenditures. The likelihood of loss can’t be established yet until a court has eventually decided that a plaintiff has fulfilled the pertinent class action procedural specifications.

In the meeting with financial analysts, Blackbaud mentioned that the forensic investigation discovered just how the hackers became successful in gaining access to its networks. The hackers took advantage of a vulnerability that was found in its early generation products that was repaired by now and steps were already undertaken to solidify security. Blackbaud furthermore mentioned that a huge amount of money was spent in cybersecurity and employees before the breach to prepare for this kind of an attack.

Blackbaud was able to contain the attack yet was unable to avoid the exfiltration of certain customer information. The organization paid the ransom to avert data exposure and is convinced that the payment stopped any more data exposures.