Attorney General Phil Weiser announces $49.5 million multistate settlement with software company Blackbaud over 2020 data breach

Oct. 5, 2023 (DENVER) – Attorney General Phil Weiser joined 49 other attorneys general in a settlement with software company Blackbaud for its deficient data security practices and inadequate response to a 2020 ransomware event that affected thousands of nonprofits and millions of consumers across the country. Under the settlement, Blackbaud agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to states. Colorado will receive over $785,000 from the settlement.

Blackbaud provides contact and donor management software to 13,000 nonprofit and government organizations, including charitable, education, health care, religious, and cultural organizations. The 2020 breach exposed contact and demographic information, Social Security and driver’s license numbers, financial and employment information, donation history, and protected health information.

Today’s settlement resolves allegations that Blackbaud violated state and federal consumer protection, data security, and health information laws by failing to implement reasonable data security and remediate known security gaps, allowing criminals to gain access to Blackbaud’s network. The company then failed in their obligation to provide customers with timely, accurate information about the incident. Affected consumers received significantly delayed notifications about the event or no notification at all. Blackbaud also downplayed the incident, leading customers to believe that no notification was required.

“Blackbaud failed the organizations that relied on the company for cybersecurity, and in doing so broke the law,” said Weiser. “While we can’t go back and undo the harm consumers experienced, this bipartisan coalition of attorneys general fought to ensure community institutions and consumers will be better protected in the future.”

Under the settlement, Blackbaud agrees to strengthen its data security and breach notification practices. This includes prohibiting the company from misrepresentations related to the handling of, and responsibilities related to, personal data. The company will also be required to implement plans for adequate responses to future breaches, including providing customers with all required compliance support, notifications to company leadership, employee training, adopting best cybersecurity practices, and undergoing independent compliance checks for seven years.

The $785,000 Blackbaud will pay can be used for any restitution where possible, consumer education, consumer fraud or antitrust enforcement, or efforts to advance the public welfare.

###

Attorney General Phil Weiser announces settlement in Savory Spice Shop data breach that impacted more than 13,000 Coloradans

Learn More →

Attorney General Phil Weiser announces settlement with Broomfield skilled nursing facility over 2021 data breach

Learn More →

Most Recent

Eye care clinics agree to pay combined $520K over illegal Medicaid billing

Jan. 15, 2026 (DENVER) — Attorney General Phil Weiser today announced a settlement with Apex Vision and Wellness, a Greeley-based eye clinic, and Just for Grins Vision, a Fountain-based eye clinic, to resolve allegations that the clinics illegally billed the […]

Attorney General Phil Weiser sues HHS for conditioning funding on discriminatory policy

Jan. 13, 2026 (DENVER) – Attorney General Phil Weiser today joined 11 other attorneys general in suing the U.S. Department of Health and Human Services for unlawfully conditioning billions of dollars in federal funding on states’ agreement to discriminate against […]

Fall semester Safe2Tell data shows reporting shift while critical interventions continue

Jan. 13, 2026 (DENVER) — Safe2Tell saw a decline in fall semester reports compared with last year, even as the period included some of the highest reporting months in the program’s history, according to the monthly report released by the […]