Judge Allows Blackbaud Ransomware MDL to Proceed

A federal judge has ruled that Blackbaud Inc. must face claims over a 2020 ransomware attack that exposed the personal information of plaintiffs. Milberg attorney Harper Segui is Co-Lead Counsel in the multidistrict litigation.

Blackbaud had attempted to dismiss the claims on the grounds that the court lacks subject matter jurisdiction over the plaintiffs’ claims, because the plaintiffs lack standing under Article III of the Constitution. Blackbaud disputed that the plaintiffs, who are patrons of Blackbaud’s customers rather than direct customers of Blackbaud, could establish that their injuries are traceable to Blackbaud’s conduct.

“We look forward to continuing to represent the class on these important issues,” said Milberg’s Harper Segui and colleagues in a joint statement.

Blackbaud said that the plaintiffs’ arguments depend on “coincidences and timing” to establish a causal link between their injuries and the ransomware attack. It argued said that plaintiffs’ injuries could not have resulted from the types of data they claim were compromised in the attack. Plaintiffs cite the likelihood that more information than has been disclosed was compromised due to Blackbaud’s misrepresentations about the data breach.

U.S. District Judge Julianna Michelle Childs ruled in an order issued July 1 that the plaintiffs have plausibly connected the types of data allegedly compromised during the ransomware attack and their alleged injuries, concluding that it is premature to dismiss the plaintiffs’ claims with respect to traceability at this stage.

“Given Blackbaud’s lack of transparency about the extent of the ransomware attack, it is more than plausible that additional information such as contact information, SSNs, and financial information that could be used for spam, phishing, or other forms of fraud was accessed during the ransomware attack,” Judge Childs wrote.

Blackbaud additionally cited the recent Supreme Court opinion in TransUnion v. Ramirez in an attempt to challenge the plaintiffs’ Article III standing, but Judge Childs found that the Blackbaud case is “procedurally distinguishable” from Ramirez.

“We are pleased with Judge Childs’ decision, which we believe may be the first district court case addressing whether the Supreme Court’s TransUnion v. Ramirez opinion closes the courthouse doors to consumers demanding accountability from companies when they are careless with their data,” Segui and colleagues told Reuters in a joint co-lead comment on the ruling. “We look forward to continuing to represent the class on these important issues.”

According to the plaintiffs, Blackbaud suffered a cyberattack from February 7 to May 20 of 2020 that resulted in their personal information being compromised, including their names, addresses, Social Security numbers, bank and credit card information, healthcare records, insurance information, and employer information. They contend that Blackbaud failed to provide them with timely and adequate notice of the cyberattack and the extent of the ensuing data breach. Plaintiffs say they did not receive notice of the attack until months after it occurred, and even then, Blackbaud was not transparent about the types of personal information that was exposed.

Thirty-four named plaintiffs from twenty states filed a consolidated class action complaint in April 2021. The Judicial Panel on Multidistrict Litigation (JPML) approved centralization of those cases into a single, consolidated MDL proceeding. Plaintiffs seek damages for identify theft/fraud, increased future risk of identity theft, time and/or money spent to mitigate the risk of harm, emotional distress, diminished value of their personal information and protected health information, and invasion of privacy.