PORTLAND, Ore. (KOIN) – Oregon will receive over $650,000 as part of a $50 million multi-state settlement after a 2020 data breach at a software company exposed personal information of millions of people across the United States, Oregon Attorney General Ellen Rosenblum announced.

Oregon and all 50 states, and the District of Columbia, reached the settlement with software company Blackbaud over the company’s “deficient data security practices,” and the company’s response to the attack, officials said.

The software is used by various non-profits, schools, and healthcare organizations to “connect with donors and manage data about their constituents,” Rosenblum said – noting this includes contact information, Social Security numbers, driver’s license numbers, protected health information, and financial information.

Officials said this type of information was exposed during the 2020 data breach, impacting over 13,000 Blackbaud customers and their constituents.

The attorneys general alleged that Blackbaud violated state consumer protection laws, breach notification laws and HIPAA by not implementing “reasonable data security,” and failing to provide timely or accurate information about the breach.

According to Rosenblum, Blackbaud downplayed the ransomware attack, leading its customers to believe notification of data breach was not required. Notifications to consumers, whose personal information was exposed, was either delayed or never occurred, Rosenblum said.

“Blackbaud’s misconduct was nothing short of egregious. They showed real disregard for the impact their data breach had on the lives of millions of consumers and non-profits and failed to live up to well-established legal and ethical standards,” Rosenblum said in a statement. “While the money is significant, this is a case that demonstrates the importance of compliance with meaningful data security and breach notification practices going forward.” 

Under the settlement, Blackbaud agreed to overhaul its data security and notification practices and must pay $49.5 million to the states, officials said. As part of the settlement, Oregon will receive $655,791, Rosenblum announced — noting 174 organizations in Oregon were impacted by the breach.

Funds from the settlement will go to the Oregon Department of Justice for investigative, consumer protection, and consumer education efforts, officials said.

In addition to a security overhaul, Blackbaud must undergo third-party assessments of their compliance with the settlement for seven years.