Minnesota nets $780,000 in national data breach settlement

Blackbaud ransomware incident in 2020 affected millions of people across the country, including patients and donors at Children's Minnesota and Allina hospitals.

By Burl Gilyard Star Tribune

October 5, 2023 — 3:12pm

Minnesota will receive $780,000 from a multistate settlement over an extensive 2020 data breach, Attorney General Keith Ellison announced Thursday.

The money is part of a $49.5 million settlement with 49 states and the District of Columbia with South Carolina-based Blackbaud Inc. over the ransomware attack.

The attack caused personal information of millions of consumers to be exposed. Another issue is that the company was slow to disclose the breach and initially refused to tell customers what information has been accessed.

"This settlement reflects our commitment to holding companies accountable when they do not adequately protect Minnesota consumer data," Ellison said in a statement.

In Minnesota, the breach hit Children's Minnesota, Allina Health, Regions Hospital and Gillette Children's Specialty Healthcare.

Allina said information from more than 200,000 patients and donors may have been at risk. Children's Minnesota notified more than 160,000 families of the breach. At the time, the breach ranked as the second-largest health care data breach in state history and also impacted other Minnesota nonprofits.

Blackbaud is a publicly traded cloud software company that provides service to nonprofits, education, health care and other "social good" organizations. As part of the settlement, Blackbaud agreed to implement several data security practices to safeguard customer information.

"The company expects to pay the full settlement amount to each state and the District of Columbia in October 2023 from its existing liquidity," the company said in a Thursday filing with the U.S. Securities and Exchange Commission (SEC). "The company has entered into the administrative orders without admitting fault of liability in connection with the matters subject to the multistate Investigation."

Marlon Kimpson, one of the plaintiff lawyers, applauded the settlement as a first step toward resolving the case.

"But to be clear, there are millions of people across this country whose data was stolen because Blackbaud ... used outdated data breach victims," said Kimpson, an attorney with Motley Rice in South Carolina.

The state of California is pursuing its own action, called a civil investigative demand, against Blackbaud and was not part of the multistate action. The issue with California remains unresolved.

In March, the SEC announced a separate $3 million settlement with Blackbaud for misleading disclosures related to the data breach.

StarTribune

Minnesota nets $780,000 in national data breach settlement

MLB and Nike announce 2025 uniforms will have larger jersey lettering and custom-fit pants

How major US stock indexes fared Friday, 5/3/2024

Democratic officials criticize Meta ad policy, saying it amplifies lies about 2020 election

Closing prices for crude oil, gold and other commodities

Three groups are suing New Jersey to block an offshore wind farm