Compliance

Legal Accountability Mounts for Supply Chain Breaches

corl blog post header

Class action lawsuits have been piling up in recent years as the scope and scale of cybersecurity breaches continues unchecked in healthcare and other industries. One of the latest lawsuits targeting Rady Children’s Hospital in San Diego goes a step further to hold organizations accountable for breaches suffered by their third-party vendors.

The Rady lawsuit represents a departure from many other recent class action suits that typically go directly after the entity that experienced breach. In this situation, the targeting of an entity that employed the breached entity as third-party vendor is potentially a harbinger of future legal action for organizations that fail to effectively manage supply chain risk.

Patient information from the San Diego-based pediatric hospital, Rady Children’s, was exposed during a breach of their third-party vendor, Blackbaud, in the summer of 2020. Blackbaud is a leading provider of fundraising support and solutions and has a substantial presence servicing the healthcare industry. CORL routinely sees Blackbaud show up in the vendor portfolios that we manage for our clients.

Blackbaud experienced one of the largest ransomware attacks of 2020 which saw attackers present in their network from February through June of that same year. The organization paid the attackers to restore systems and erase the stolen patient data, however, the lawsuit alleges that Rady cannot reasonably maintain that the hackers permanently deleted the plaintiffs’ personal information.

The lawsuit is being waged by a guardian of one of the impacted patients and cites violations of the California Confidentiality of Medical Information Act and California Consumer Records Act. The suit charges that Rady patients and their information is now at risk due to Rady’s “negligent conduct and unfair acts and practices”.

It should also be noted that the third party, Blackbaud, is by no means off the legal hook for this particular breach event. To date, over 20 lawsuits have been filed [1] against Blackbaud for the exposure of over 10 million patient records during this incident. The breach impacted a high volume of healthcare entities including some brand names like AdventHealth, Spectrum Health, Vidant Health, and more.

These class action lawsuits are likely going to become a dominant theme for security and risk management programs for years to come. Organizations will need to continue to mature their programs and introduce technology and automation to be able to effectively manage the risk presented by their burgeoning vendor portfolios.

In order to combat these risks, CORL has developed a proprietary data clearinghouse that provides access to assessment results of over 70,000 vendor assessments. Each year, CORL conducts thousands more vendor risk assessments on behalf of our clients. Chances are very high that we have already assessed a substantial portion of your existing and new vendors from a security, risk, and compliance perspective.

Contact our team here at CORL to learn more our assessment data clearinghouse and how we can accelerate your program response time and reduce costs for managing risk for your supply chain.


[1] https://healthitsecurity.com/news/blackbaud-faces-another-lawsuit-as-more-healthcare-victims-reported


About the Author

Jay Stewart
Chief Revenue Officer

Jay is a dynamic, growth-minded sales leader with more than 10 years of experience in the healthcare information security space. As Vice President of Sales, Jay is responsible for bringing our best-in-class solutions and services for cybersecurity, risk management, and compliance to healthcare payors, providers, and business associates across the country. Jay is a frequent speaker with strong operational experience in vendor risk management programs and deep knowledge of multiple regulatory and compliance frameworks, including HIPAA, HITRUST, ISO, and NIST.

Related Posts

You might also be interested in…

Want the latest TPRM insights sent straight to your inbox?