Pediatric Hospital Faces Lawsuit After Blackbaud BreachCase Spotlights Critical Vendor Security Risk Issues
A lawsuit seeking class-action status has been filed against Rady Children’s Hospital-San Diego in the wake of a data breach that affected nearly 20,000 individuals. The incident was the result of a ransomware attack last year on Blackbaud, the hospital’s cloud-based fundraising software vendor.
The hospital was among several dozen healthcare entities – as well as educational institutions and nonprofit organizations - affected by the Blackbaud ransomware incident.
The lawsuit alleges violations of California’s medical information confidentiality and consumer protection laws, invasion of privacy, negligence and breach of implied contract, based on how the hospital handled the sensitive patient information.
Charleston, South Carolina-based Blackbaud is also facing a number of lawsuits and regulatory investigations related to the security incident, which, the company noted in a quarterly filing with the SEC in October, "might result in adverse judgments, settlements, fines, penalties or other resolution" (see: Blackbaud Expects Cyber Insurer Will Cover Most Attack Costs).
Some of the lawsuits filed against Blackbaud also name as defendants covered entities whose patients’ data was affected by the ransomware attack.
For instance, a proposed class-action lawsuit filed last November in a Maine federal court against Blackbaud also named Eastern Maine Healthcare System, which does business as Northern Light Health, as a defendant. Last year, the healthcare organization reported to HHS a data breach involving Blackbaud that affected nearly 657,400 individuals.
“While the majority of class actions brought in the U.S. have targeted Blackbaud directly, there has been a trend to pursue claims against the organizations that hired the vendor, alleging that they could have done more to ensure that their personal information was protected,” says privacy attorney David Holtzman of the consulting firm HITprivacy LLC.
What Information Exposed?
The Department of Health and Human Services’ HIPAA Breach Reporting Tool website of health data breaches shows that Rady Children’s Hospital reported on Oct. 30, 2020, a hacking incident affecting 19,788 individuals.
In its breach notification statement, Rady noted that Blackbaud confirmed an unauthorized party had access to backup files for its fundraising software between Feb. 7, 2020, and June 4, 2020.
Rady said in its statement that the information that may have been exposed about patients includes names, addresses, physicians' names, dates of admission, departments of service and dates of birth.
“Blackbaud has informed us that it has no indication that any of the information actually was viewed, and that it has no reason to believe that any of this information has been or will be misused, or will otherwise be made available publicly,” the statement says.
But the lawsuit against the hospital alleges that “Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed. Nor does [Rady] or Blackbaud know whether the hackers maintained the data in a sufficiently secure manner to prevent others from acquiring the private information.”
The lawsuit also alleges that class members’ private information “was copied multiple times by unauthorized users, not destroyed, and the data has been or may be sold and misused at a later date.”
In a statement provided to Information Security Media Group, the hospital says: “It is the policy of Rady Children's not to respond to any specific allegations made in pending litigation, but rather to allow the court system to handle these matters through the normal course of litigation.”
Similarly, Blackbaud says the company’s policy is to not comment on pending legal actions, whether involving Blackbaud or a third party. “Pertaining to the class action lawsuits filed against Blackbaud, Blackbaud disagrees with the allegations and intends to demonstrate they are without merit,” the company says.
Attorneys representing plaintiffs in the proposed class action against Rady did not immediately respond to ISMG’s request for comment.
During an Oct. 30 call with financial analysts to discuss the vendor's third-quarter earnings, Blackbaud’s executives said the company has fixed a weakness in one of its older products that was linked to the cyber incident.
High Risks Involved
In the lawsuit against the children’s hospital, the plaintiffs allege that because the data breach involved personal information of minors, the risk of identity theft and fraud is particularly worrisome.
“This risk is made even more concerning by the fact that members of the class … are minors and thus stand to lose more than what is at usually at stake with identity theft given their lack of credit history and the fact that their information can be used to create a ‘clean slate identity,’” the lawsuit states.
It also alleges that the hospital was negligent in several ways, including breaching “its duty by failing to exercise reasonable care in supervising its agents, contractors, vendors and suppliers, and in handling and securing the personal information and medical information” of those affected by the incident.
The lawsuit against Rady Children’s Hospital “faces some substantial hurdles,” says regulatory attorney Paul Hales of the law firm Hales Law Group, who is not involved in the case.
“Plaintiffs have a geographical advantage because their lawsuit is based on California law that is much stronger than HIPAA,” he notes. “But they have a mountain to climb. They can only succeed if evidence supports the facts and legal theories they allege.”
A key issue is whether Blackbaud is a legal agent of the hospital, which means the hospital would be liable for damages due to Blackbaud’s acts or omissions, Hales says. “The answer depends on any contract terms that allow Rady control over Blackbaud’s performance. A relatively low level of control can establish an agency relationship between a hospital and its business associate under the Federal Common Law of Agency.”
The other key issue is whether plaintiffs can prove negligence, he says. “California law allows money damages for negligent disclosure of medical information even if a plaintiff suffered no actual damages. Can plaintiffs prove Rady was negligent when it entrusted Blackbaud with PHI, for example, because they failed to do proper due diligence?”
Personally identifiable information of a child “is the gold standard for an identity thief because it is pristine,” Hales notes. “Credit fraud is easy when a Social Security number has no history. And discovery is slow. Victims don’t discover the theft of their identity until they are old enough to fill out their first credit application.”
Third-Party Risk Management
The Blackbaud breach illustrates the security risks vendors can pose, Holtzman says.
“As in other breaches of companies providing information technology and data management services, healthcare organizations that hire these firms should take prompt action to protect themselves from the fallout, beginning with shoring up their vendor relationships,” he says.
“The types of incidents that involve vendors providing data management services for healthcare business operations are the scariest of incidents because of the breadth and sheer volume of the data they could be handling.”
Healthcare organizations should review their vendor contracts to ensure they include terms that require timely notification of security incidents and providing reports about investigations, he says.
Entities also should review the risk management plans of vendors before signing a contract, he adds.