Getty Images/iStockphoto

Patient Sues Rady Children’s Hospital Over Blackbaud Data Breach

Rady Children’s Hospital in San Diego is being sued by a guardian of a patient whose information was compromised during last year’s hack of Blackbaud, its vendor.

A guardian of a patient whose information was included in last year's Blackbaud data breach has sued Rady Children’s Hospital over the incident. Blackbaud is a third-party vendor of the San Diego hospital, and about 19,800 Rady Children's patients were affected by the security incident.

The Blackbaud incident was the largest healthcare data breach of 2020. The incident first came to light in August, when Northern Light Health Foundation reported the data of 657,392 of its patients and donors were compromised by a ransomware attack on its vendor, Blackbaud.

The cyberattack was first detected by Blackbaud on May 14 on its self-hosted environment. But the hackers first gained access to the network several months earlier on February 7, 2020, and during that time, the actors stole a subset of data from the network.

The vendor paid the ransom demand “with confirmation that the copy they removed had been destroyed.”

However, while Blackbaud first stressed that the impacted data was limited to a small amount of sensitive information, like contact details and the like, a later report found some patient Social Security numbers and medical information was also compromised during the hack.

According to the filing, the Rady Children’s data compromised by the Blackbaud incident included patient names, addresses, dates of birth, the names of patients’ physicians, and the hospital department visited by the patients.

Blackbaud is currently facing more than 20 lawsuits after the incident, which impacted more than 10 million patients from over 100 entities from a range of sectors, among several dozen healthcare organizations.

The lawsuit filed against Rady Children’s alleges the provider violated the state’s consumer privacy protection and medical information laws. California has one of the strictest data privacy protection laws in the country, which has been compared to the EU’s GDPR.

Specifically, the class action complaint purports that Rady Children’s violated the California Confidentiality of Medical Information Act and California Consumer Records Act. The hospital is also being sued over alleged claims of negligence, invasion of privacy, and breach of implied contract.

The lawsuit seeks actual and exemplary damages, injunctive relief, restitution, and a “declaration that [Rady]’s actions were unlawful.”

“[Patients are] now at risk because of [Rady]’s negligent conduct and unfair acts and practices,” according to the lawsuit. “The private information that [Rady] collected and maintained has been placed in the hands of criminal hackers.” 

“[Rady] cannot reasonably maintain that the hackers destroyed the private information,” it added. “[Rady] has a duty to reasonably protect the confidentiality of the medical information that it maintains, preserves, stores, abandons, destroys, or disposes of, and failure to comply with this duty exposes [Rady] to liability for nominal and/or actual damages under [California law].”

The lawsuit also takes issue with Blackbaud’s failure to provide verification or further details regarding the disposition of the data that could confirm whether the stolen data was actually destroyed.

Interestingly, the suit argues that both Rady and Blackbaud don’t “know whether the hackers maintained the data in a sufficiently secure manner to prevent others from acquiring the private information.”

As a result, the lawsuit claims the stolen data was copied multiple times by unauthorized users, and not destroyed, with an increased likelihood the data will be sold or misused at a later data.

Arguably, data does support this claim: exfiltration has drastically increased in recent months and many of these extortion groups falsify the “proofs” that the stolen data was deleted.

As outlined in the lawsuit, this is the second patient data breach reported by Rady Children’s in the last year. In January 2020, the hospital reported a six-month data breach that exposed the data of more than 20,000 patients. Those breach victims sued Rady Children’s, as well.

The lawsuit purports that the latest security incident involving Blackbaud “surpasses both of the prior data breaches, combined, and is further evidence that [Rady]’s conduct and practices as it relates to the preserving the confidentiality of its patients’ medical information failed to reasonably protect said information from unauthorized disclosure.”

“[Rady] had the resources necessary to protect and preserve confidentiality of electronic medical information of [patients] in its possession, but neglected to adequately implement data security measures according to its representations,” according to the lawsuit.

“Additionally, the risk of vulnerabilities in its computer and data systems of being exploited by an unauthorized third party trying to steal [patients’] medical information was foreseeable and/or known to [Rady],” it continued.

As the Blackbaud incident was contained to its servers, it’s unclear how the lawsuit will unfold. HealthITSecurity.com will update the story as more information becomes available.

Next Steps

Dig Deeper on Healthcare data breaches