FTC orders Blackbaud to report on data practices

The Federal Trade Commission finalized an order regarding Blackbaud on Monday, settling allegations that the cloud company failed to implement appropriate security to protect data when it was attacked with ransomware in 2020.

The ruling follows separate monetary settlements with the U.S. Securities and Exchange Commission and several states.


After an initial complaint in February, the FTC said in its final order that the cyberattack on Blackbaud went undetected for three months. The third party provider collects personally identifiable and protected health information for its revenue cycle activities.

The FTC also noted this in its report announcement that Blackbaud waited nearly two months to inform its customers of the breach, and then misled consumers about the extent of the stolen data.

According to the settlement order, the trade agency requires Blackbaud to delete data it no longer needs and states that it is prohibited from “misrepresenting” its data security and data retention policies.

The company must also develop a comprehensive information security program that handles complaints and reports on data deletion practices in an agency data retention schedule.

It is also now mandatory to notify the FTC if there is a future data breach that requires notification to another local, state, or federal agency.

FTC Commissioner Andrew Ferguson did not participate in the decision and Commissioner Melissa Holyoak was rebuffed, according to a statement from the agency.

Last month, the company’s board rejected a $4.3 billion offer from Clearlake Capital Group, which currently owns an 18.3% stake in Blackbaud, Reuters reported last month. The private equity firm became an investor in 2020 and has made two bids to buy out the company, according to the newspaper. story.


Last year, Blackbaud settled with the U.S. Securities and Exchange Commission for $3 million to address federal allegations that it made misleading disclosures following the 2020 ransomware attack. Then in October, Blackbaud agreed to charge 49 states and the District or pay Columbia $49.5 million to resolve investigations.

“Cyberattacks are constantly evolving, so we are continually strengthening our cybersecurity and compliance programs to ensure our resilience in an ever-changing threat landscape,” Mike Gianoni, the company’s president and CEO, said in a statement after the multi-state settlement.

Since 2009, the FTC has expanded the rules under its Health Breach Notification Rule to target health and wellness technology companies operating outside of HIPAA.


“As a result of these failures, a hacker exploited weaknesses in Blackbaud’s networks in early 2020, which went undetected for three months, allowing the hacker to delete massive amounts of unencrypted sensitive consumer data,” FTC officials said in a statement.

Andrea Fox is editor-in-chief of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.