The Federal Trade Commission finalized an order on Monday related to Blackbaud, resolving allegations that the cloud company failed to implement adequate security measures to protect data during a ransomware attack on year 2020.
This ruling follows separate currency agreements with the U.S. Securities and Exchange Commission and multiple states.
WHY IS IT IMPORTANT?
After the initial complaint in February, the FTC said in its final order that the cyberattack against Blackbaud went undetected for three months. Third-party vendors collect personally identifiable and protected health information for their revenue cycle operations.
The FTC also noted in its notice that Blackbaud waited nearly two months to notify its customers of the breach, then misled consumers about the extent of the data stolen.
Under the settlement order, the trade body requires Blackbaud to delete data it no longer needs and states that it is prohibited from “misrepresenting” its data security and data retention policies.
The company must also develop a comprehensive information security program to address complaints and reports of data deletion activities within the agency’s data retention schedule.
They are also now required to notify the FTC if they experience a future data breach and require reporting to any other local, state or federal agency.
According to an agency statement, FTC Commissioner Andrew Ferguson was not involved in the decision and Commissioner Melissa Holyoak was recused.
Last month, the company’s board of directors rejected a $4.3 billion offer from Clearlake Capital Group, which now owns 18.3% of Blackbaud, Reuters reported last month. According to the story, the private equity firm became an investor in 2020 and made two bids to buy the company.
THE TREND IS GREATER
Last year, Blackbaud settled with the U.S. Securities and Exchange Commission for $3 million to resolve federal charges that it made misleading disclosures following a 2020 ransomware attack. Then, in October, Blackbaud agreed to pay $49.5 million to 49 states and the District of Columbia to resolve the investigations.
“Cyberattacks are always evolving, so we continually strengthen our compliance and cyber security to ensure our resilience in an ever-changing threat landscape.”
Since 2009, the FTC has expanded rules under the Health Breach Notification Rule to target health and wellness technology companies operating outside of HIPAA.
ON PROFILE
“As a result of these failures, a hacker in early 2020 exploited weaknesses in Blackbaud’s network,” FTC officials said in a statement. The network went undetected for three months, allowing hackers to delete large amounts of sensitive unencrypted consumer data.”
Andrea Fox is a senior editor at Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS Media.
