Rady Children’s Hospital Hit with Class Action Over 2020 Blackbaud Data Breach

New to ClassAction.org? Read our Newswire Disclaimer

Rady Children’s Hospital-San Diego faces a proposed class action over a data breach of third-party vendor Blackbaud’s systems that reportedly affected nearly 19,800 patients.

The lawsuit alleges the regional pediatric center, the largest children’s hospital in California based on admissions, failed to implement adequate security measures and ensure Blackbaud, which supplies fundraising and donor management software to Rady, had proper safeguards in place to protect patients’ private medical information.

The case alleges that those affected by the Blackbaud breach have been placed at an “imminent, immediate, substantial and continuing increased risk” of identity theft and fraud due to the defendant’s negligence.

According to the lawsuit, Rady announced in an October 29, 2020 press release that it “recently learned that one of its third-party service providers, Blackbaud,” had experienced a data breach in which an unauthorized party gained access to the company’s backup files for its fundraising software between February 7 and June 4, 2020.

Blackbaud claimed to have “expelled the hackers from the system” as soon as it was aware of their presence, but the criminals were able to remove a copy of a subset of Blackbaud’s data, the case relays. Per the lawsuit, the compromised files contained “highly valuable and protected information,” including Rady patients’ names, addresses, dates of birth, physicians’ names, and department they were admitted to.

According to the suit, although Blackbaud paid a ransom to the hackers and claimed to have received confirmation that the stolen data had been destroyed, Rady “cannot reasonably maintain that the hackers destroyed” proposed class members’ private information.

“On information and belief, Blackbaud has not provided verification or further details regarding the disposition of the data to confirm that the stolen data has been destroyed,” the complaint reads. “Nor does Defendant or Blackbaud know whether the hackers maintained the data in a sufficiently secure manner to prevent others from acquiring the Private Information.”

The lawsuit suspects that patients’ data was “copied multiple times” by unauthorized parties and has been or will be sold and misused in the future. Per the suit, the breach affected roughly 19,788 individuals.

The case goes on to note that Rady has a history of allegedly failing to reasonably protect and preserve the confidentiality of patients’ private medical information. According to the lawsuit, the defendant has been investigated and fined by the California Department of Public Health for four separate reported disclosures of the unencrypted data of 20,421 of its patients between June 16, 2014 and July 25, 2015.

Moreover, the defendant reported another incident as recently as February 2020, during which the radiology-related information of 2,360 patients was exposed between June 20, 2019 and January 5, 2020, the lawsuit says.

The most recent data breach, however, “surpasses both of the prior data breaches, combined,” the lawsuit states, alleging that although Rady had the resources necessary to protect patients’ information, it neglected to implement adequate data security measures. The suit goes on to question representations within Rady’s privacy policy that the healthcare center is “committed to protecting the privacy of medical information.”

“If Defendant truly understood the importance of safeguarding its patients’ medical information, it would acknowledge its responsibility for the harm it has caused, and would compensate them, provide long-term protection, agree to Court-ordered and enforceable changes to its cybersecurity policies and procedures, and adopt regular and intensive training to ensure that a data breach like this never happens again,” the complaint contends.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s newsletter here.