peshkov - stock.adobe.com

Blackbaud Pays $3M to Settle “Misleading Disclosures” Following Ransomware Attack

Following a 2020 ransomware attack, Blackbaud announced that the attacker had not accessed donor bank information, but it was determined that information had in fact been accessed and exfiltrated.

Blackbaud agreed to pay $3 million to settle charges relating to a 2020 ransomware attack that impacted more than 13,000 entities and millions of individuals, the Securities and Exchange Commission (SEC) announced. Blackbaud provides donor data management software to a variety of nonprofits, including healthcare organizations.

The SEC alleged that Blackbaud made “misleading disclosures” about the breach. Specifically, in July 2020, Blackbaud posted a breach notice on its website that indicated that the ransomware attacker had not accessed donor bank account information or Social Security numbers.

“Within days of these statements, however, the company’s technology and customer relations personnel learned that these claims with respect to bank account information and social security numbers were erroneous,” the SEC order stated.

“Nevertheless, on August 4, 2020, the company filed a Form 10-Q that discussed the incident, but omitted this material information about the scope of the attack, and misleadingly characterized the risk of exfiltration of such sensitive donor information as hypothetical.”

It was not until September 2020 that the company first disclosed that the attacker had accessed unencrypted donor bank information and Social Security numbers. The SEC also found that Blackbaud had failed to maintain proper disclosure controls and violated certain sections of the Securities Act of 1933 and the Securities Exchange Act of 1934.

“As the order finds, Blackbaud failed to disclose the full impact of a ransomware attack despite its personnel learning that its earlier public statements about the attack were erroneous,” said David Hirsch, chief of the SEC Enforcement Division’s Crypto Assets and Cyber Unit. “Public companies have an obligation to provide their investors with accurate and timely material information; Blackbaud failed to do so.”

The ransomware attack was first discovered in May 2020 but may have begun as early as February 2020. A variety of healthcare organizations that had business associate relationships with Blackbaud were impacted by the breach, including Northern Light Health Foundation, AdventHealth Foundation Shawnee Mission, and Sisters of Charity Health System.

The SEC ordered Blackbaud to pay a $3 million civil penalty and to cease committing SEC violations. Blackbaud did not admit any wrongdoing but agreed to the settlement.

Next Steps

Dig Deeper on Cybersecurity strategies