On October 5, 2023, Blackbaud Inc., a software provider for the philanthropy, healthcare, and education sectors, has resolved claims that the District of Columbia and 49 U.S. states raised. The claims stem from a ransomware attack that impacted Blackbaud in 2020. The company was affected by a ransomware attack that exposed user information to unauthorized third parties. The breach not only impacted approximately 13,000 Blackbaud customers, but the customers’ own clients and donors as well.
The investigation into the breach was conducted by Vermont and Indiana, with support from several other states. Attorneys general argued that Blackbaud misled its customers and failed to adequately and promptly notify them regarding the breach. As part of the settlement, Blackbaud committed to improve its own breach notification procedures, provide additional training to its staff related to cybersecurity, improve encryption efforts, and utilize third-party assessments of its own compliance efforts. All U.S. states, except for California, and the District of Columbia joined in the settlement.