Little Hill Foundation for the Rehabilitation of Alcoholics, Inc. d/b/a Alina Lodge in New Jersey is first notifying patients whose data was involved in the Blackbaud ransomware incident early last year.
From a report filed by their external counsel, it seems that Blackbaud first notified Alina in October, 2020. Between then and April 19, 2021, Alina engaged in ongoing communications with Blackbaud trying to find out exactly what might have been compromised. As their external counsel wrote to the Maine Attorney General’s Office:
Based on communications from Blackbaud, it was Alina Lodge’s understanding that all of our client information stored by Blackbaud was encrypted and not accessible by any unauthorized party.
However, on April 19, 2021, Blackbaud confirmed to Alina Lodge, for the first time, that Alina Lodge’s client information was not in fact encrypted – with the exception of social security numbers.
After an internal investigation, Alina Lodge discovered the three Blackbaud platforms used by Alina Lodge, Raiser’s Edge NXT, Financial Edge NXT, and Research Point¸ stored information of its 2,565 alumni and guarantors. Of these 2,565 alumni and guarantors, 7 were Maine residents whose information stored on the impacted Blackbaud platforms may have included: the name, address, phone number, date of birth, admission/discharge date, and other limited treatment information.
For those who like to point fingers or assign responsibility, who’s responsible here? Should Alina Lodge have already known what was stored with Blackbaud? Should Alina have received any reports or logs from Blackbaud routinely to show what was stored and how? Is this solely on Blackbaud? Or is there a shared responsibility here?
If there are lessons to be learned, what are they?