Current Cases

In re Blackbaud, Inc., Customer Data Breach Litigation

Status Current Case

Practice area Consumer Protection

Court U.S. District Court, District of South Carolina

Case number 3:20-mn-02972-JMC, MDL No. 2972


Cohen Milstein is representing plaintiffs in a putative customer data breach class action against Blackbaud, a cloud computing account management and billing services company, that manages financial, personal, and health-related data for healthcare entities, education institutions, nonprofits, foundations, corporations, and other types of companies. Plaintiffs claim that Blackbaud failed to take standard and reasonably available steps to prevent a data beach, starting in February 2020, and failed to promptly or accurately provide notice of the data breach to those affected.

On February 16, 2021, Cohen Milstein’s Douglas J. McNamara was court-appointed to the Plaintiffs’ Steering Committee.

Case Background

Blackbaud is a cloud computing vendor for nonprofits, foundations, corporations, education institutions, healthcare entities, and other business enterprises. The account data it collects and manages on behalf of its clients included date of birth, age, gender, address, phone number, medical records, health insurance information, as well as social security numbers.

Starting on or about February 7, 2020, until it was discovered by Blackbaud on May 20, 2020, Blackbaud’s client account data was hacked and became subject to a ransomware attack. During this time the hackers stole sensitive data from Blackbaud clients, including the PII of children.

Beginning in mid-August 2020, the vendor began notifying some of its clients that in May 2020 it had fallen victim to a ransomware attack, and the hackers exfiltrated data prior to launching the malicious payload.

Plaintiffs claim that the data breach was a direct result of Blackbaud’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect individuals’ PII stored in its cloud.

Specifically, Plaintiffs claim that Blackbaud intentionally, willfully, recklessly, or negligently failed to take adequate and reasonable measures to ensure their data and cyber security systems were protected against unauthorized intrusions; failing to disclose that it did not have adequately robust computer systems and securities practices to safeguard individual PII; failing to take standard and reasonably available steps to prevent the data breach; failing to monitor and timely detect the data breach; and failing to provide Plaintiffs prompt and accurate notice of the data breach.

Plaintiffs further claim that as a result of Blackbaud’s failure to implement and follow basic security procedures, Plaintiffs PII and their affected children, are now in the hands of thieves and that Plaintiffs will have to spend, and will continue to spend, significant amounts of time and money in an effort to protect themselves and/or family members from continued adverse ramifications of the data breach.

Plaintiffs bring this class action, alleging negligence, breach of implied contract, unjust enrichment, declaratory judgement, breach of confidence, invasion of privacy, and violation of South Carolina’s Data Breach Security Act, S.C. Code Ann. § § 39-1-90. Plaintiffs seek to compel Blackbaud to adopt reasonably sufficient security practices to safeguard PII that remains in its custody in order to prevent further data breaches.

Case name: In Re: Blackbaud, Inc., Customer Data Breach Litigation, Case No.: 3:20-mn-02972-JMC, MDL No. 2972, United States District Court for the District of South Carolina