A patient's guardian is suing Rady Children's Hospital over the 2020 Blackbaud security breach, which affected 19,788 patients of the San Diego-based hospital.
The breach on Blackbaud, which stores donor information for organizations, impacted more than 25,000 nonprofit organizations across the world, including numerous health systems in the U.S. The breach occurred between Feb. 7 and May 20, 2020, and Blackbaud paid the ransom for the attackers to destroy their backup file of stolen information. Rady Children's notified patients of the breach Oct. 29 after learning of the incident.
Eight details:
1. Rady Children's data impacted by the breach included patient names, addresses, dates of birth and names of patients' physicians, according to the lawsuit, which was filed Jan. 20 with the U.S. District Court of Southern District of California.
2. The lawsuit alleges that Rady Children's violated the California Confidentiality of Medical Information Act and California Consumer Records Act; the hospital is also being accused of negligence, invasion of privacy and breach of implied contract.
3. The plaintiff claims that because Blackbaud has not provided verification that the stolen data was disposed, both Rady Children's and Blackbaud do not know "know whether the hackers maintained the data in a sufficiently secure manner to prevent others from acquiring the private information," according to the court documents.
4. The lawsuit argues that data stolen in the breach therefore could have been copied multiple times by the unauthorized users and not destroyed, which leaves the possibility for the information to be sold or misused in the future.
5. The Blackbaud breach was the second patient data breach reported by Rady Children's in 2020. Last February, the hospital reported the discovery of a data breach lasting six months that had exposed the information of 2,360 patients.
6. The lawsuit claims that the security breach involving Blackbaud "surpasses both of the prior data breaches, combined, and is further evidence that [Rady]'s conduct and practices as it relates to the preserving the confidentiality of its patients' medical information failed to reasonably protect said information from unauthorized disclosure."
7. The plaintiff is seeking actual and exemplary damages, injunctive relief, restitution and "a declaration that [Rady Children's] actions were unlawful."
8. In an emailed statement to Becker's Hospital Review, a Rady Children's spokesperson said the hospital's policy is "not to respond to any specific allegations made in pending litigation, but rather to allow the court system to handle these matters through the normal course of litigation."