FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies

Posted by Steve Alder

The Federal Trade Commission (FTC) has ordered South Carolina-based Blackbaud to implement a raft of security measures and enforce its data retention policies to ensure that customer data is not retained any longer than it is needed. Blackbaud is a customer relationship management software provider, whose software is used by 35,000 fundraising entities, including many nonprofit healthcare organizations to increase philanthropic revenue. In early 2020, a hacker used a Blackbaud customer’s login name and password to access the customer’s Blackbaud-hosted database. Once access was gained, the hacker was able to move laterally by exploiting security vulnerabilities to access multiple Blackbaud-hosted environments and remained undetected in Blackbaud’s environment for 3 months.

Over those 3 months, the hacker exfiltrated a vast amount of unencrypted data from tens of thousands of customers, which included the personal and protected health information of millions of individuals. The stolen data included names, contact information, medical information, health insurance information, Social Security numbers, and bank account details. The hacker threatened to publish the stolen data and Blackbaud negotiated a 24 Bitcoin ($235,000) payment for the data to be deleted. Blackbaud was, however, unable to conclusively verify that the stolen data had been deleted.

A Catalog of Security Failures

According to the FTC complaint, the acts and practices of Blackbaud constituted unfair and/or deceptive practices in violation of Section 5(a) of the Federal Trade Commission (FTC) Act. The FTC alleged that Blackbaud had failed to implement reasonable and appropriate security practices to protect the sensitive personal information of consumers. The lack of safeguards allowed an unauthorized individual to gain access to customer data and deficient security practices and the failure to enforce its data retention policies magnified the severity of the data breach.

The FTC alleged that Blackbaud allowed customers to store highly sensitive information such as Social Security numbers and bank account information in unencrypted fields and customers could upload attachments containing sensitive personal information which were not encrypted. Further, Blackbaud did not encrypt its database backup files which contained complete customer records from the products’ databases.

While Blackbaud had data retention policies, these were not enforced, which meant the company retained the data of its customers for years longer than was necessary, even the data of former customers and prospective customers. The FTC also slammed Blackbaud for waiting for 2 months to notify customers about the data breach and misrepresenting the scope and severity of the data breach in those notifications due to “an exceedingly inadequate investigation.”

Blackbaud explained in the July 16, 2023, notification letters that financial information and Social Security numbers were not compromised and said no action was required because no personal information was accessed. Blackbaud’s post-breach investigation determined on July 31, 2020, that the hacker had exfiltrated customer data, but then waited until October 2020 to disclose that information to its customers.

The affected consumers were denied the opportunity to take steps to protect against identity theft and fraud, and since the breach, Blackbaud has received multiple complaints from consumers about identity theft and fraud using their personal information, indicating the hacker did not delete the data. Blackbaud did agree to pay for credit monitoring services, but those services were offered months after the breach and only to a limited subset of the affected customers.

Blackbaud made explicit representations about its information security practices which led customers to believe that personal information would be protected; however, the FTC alleged that there were insufficient password controls, a lack of multifactor authentication, a failure to monitor logs for signs of unauthorized system activity,  a failure to enforce its data retention policies, a failure to patch outdated software and systems promptly, a failure to implement appropriate firewall controls, a failure to implement appropriate network segmentation, and a failure to test, audit, assess, or review its products’ or applications’ security features. Blackbaud also failed to conduct regular risk assessments, vulnerability scans, and penetration testing of its networks and databases.

FTC Orders Major Security Updates and Data Deletion

The FTC alleged unfair information security practices, unfair data retention practices, unfair inaccurate breach notifications, deceptive initial breach notifications, and deceptive security statements. The FTC’s proposed order requires Blackbaud to implement and maintain a comprehensive information security program that complies with industry best practices. The order includes 14 security requirements and Blackbaud is also required to delete all customer data that is not required and undergo independent security assessments.

“Today’s action builds on a series of cases that have made clear that maintaining a data retention and deletion schedule is a critical part of protecting consumers’ data security,” said FTC Chair Lina M. Khan, Commissioner Rebecca Kelly Slaughter, and Commissioner Alvaro M. Bedoya in a joint statement about the consent order. “The Commission has also made clear that efforts to downplay the extent or severity of a data breach run afoul of the law.”

Blackbaud previously settled a multistate action with the attorneys general in 48 states and the District of Columbia and paid a $49.5 million penalty, and was ordered to pay a $3 million civil monetary penalty by the U.S. Securities and Exchange Commission for omitting important facts about the data breach in its August 2020 quarterly report. Blackbaud is also being sued by consumers whose personal information was stolen.

The post FTC Orders Blackbaud to Improve Security and Enforce Data Retention Policies appeared first on HIPAA Journal.

LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital

Posted by Steve Alder

The LockBit ransomware gang has added Chicago’s Saint Anthony Hospital to its data leak site and is demanding a ransom payment of almost $900,000 from the nonprofit hospital to prevent the release of the stolen data. Earlier this week, Saint Anthony Hospital confirmed that it was still investigating the attack, which was detected on December 18, 2023. Saint Anthony Hospital took immediate action to secure its network to prevent further unauthorized access and an investigation was launched to determine the nature and scope of the unauthorized activity. The prompt action taken by the hospital in response to the attack allowed care to continue to be provided to patients without disruption.

The investigation confirmed on January 7, 2024, that an unknown, unauthorized third party had copied files from its network on December 18, 2023, which contained patient information. Those files are being reviewed to determine the number of patients affected and the types of information involved, and that process is ongoing. At this stage, Saint Anthony Hospital is unable to say how many individuals have been affected and the specific types of data involved. Individual notification letters will be mailed to the affected individuals when that process is completed.

While the theft of patient data has been confirmed, the forensic investigation did not find any evidence that its electronic medical record database or financial systems as a whole were compromised. Saint Anthony Hospital said that as part of its commitment to data privacy, existing data security policies and procedures are being reviewed and will be updated as appropriate to better protect patient data in the future.  The incident has been reported to the Federal Bureau of Investigation, Department of Health and Human Services, and other regulators. Since some patient data has been stolen, patients have been advised to remain vigilant against incidents of identity theft and should review their account and explanations of benefits statements for unusual activity, and report any suspicious activity to their insurance company, health care provider, or financial institution.

Since the notification was issued, the LockBit ransomware group added Saint Anthony Hospital to its data leak site. The LockBit group has previously claimed that it prohibits affiliates from attacking hospitals. Last year, an affiliate conducted an attack on Toronto’s Hospital for Sick Children (SickKids), which was promptly followed by an apology from the group, and a free decryptor was issued to allow the hospital to recover files for free, and the group claimed that the affiliate behind the attack had been kicked out of its program for violating its operating rules. The latest attack suggests its policy of not attacking hospitals has been canceled. In the listing on its data leak site, the LockBit group claimed that “Always US hospitals put their greedy interest over those of their patients and clients,” apparently oblivious to the fact that Saint Anthony Hospital is a nonprofit healthcare provider.

Saint Anthony Hospital has indicated the ransom will not be paid. “As a vital safety-net hospital to the people in the communities we serve, we are dedicated to using our resources to care for our community’s most vulnerable and not to rewarding the illegal actions of bad actors,” said CIO Jeff Eilers.

The post LockBit Ransomware Gang Claims Responsibility for Attack on Saint Anthony Hospital appeared first on HIPAA Journal.