Blackbaud Data Breach Lawsuit: 2020 Ransomware Claims
Data Breach · Class Certification Denied

Blackbaud Data Breach Class Action Lawsuit

Published July 14, 2026

If a charity, hospital foundation, school, or university told you your data was exposed in 2020, the common link for thousands of them was one vendor: Blackbaud. Here is where the litigation landed — and why there is no consumer payout.

A conceptual data-breach image, representing the Blackbaud 2020 ransomware data breach litigation, MDL 2972
Blackbaud's 2020 ransomware breach swept up donor, patient, student, and alumni data held by more than 13,000 client organizations. The consolidated litigation is MDL No. 2972 in the District of South Carolina.
Allegations Only · No Consumer Settlement

This article describes class action litigation and related regulatory actions. The plaintiffs' statements are unproven allegations. Blackbaud has not been found liable in the private litigation, there is no certified consumer class, and there is nothing for consumers to claim. This page is informational and is not legal advice.

What Is This About?

Blackbaud, Inc. — a South Carolina cloud software and data company that serves nonprofits, schools, universities, and healthcare foundations — faced a wave of class action litigation after a 2020 ransomware attack. The consolidated case is In re: Blackbaud, Inc., Customer Data Security Breach Litigation, MDL No. 2972, in the U.S. District Court for the District of South Carolina, before Senior Judge Joseph F. Anderson Jr. The Judicial Panel on Multidistrict Litigation centralized the cases on December 15, 2020.

The breach was unusual in its shape: Blackbaud does not sell to the public, so the people whose data was exposed were the donors, patients, students, and alumni whose information sat inside databases that Blackbaud's thousands of client organizations kept in its software. Plaintiffs allege Blackbaud failed to secure that data. Blackbaud has not been found liable in the private litigation, and those claims remain unproven allegations.

Status In Litigation — Class Certification Denied MDL 2972 · D.S.C. · Judge Joseph F. Anderson Jr. · cert denied May 2024; claims now proceed individually
Scale 13,000+ organizations affected 2020 ransomware · donors, patients, students & alumni · some SSNs, bank & health data · individual count never officially quantified
Can I Claim? No — nothing to claim No consumer class settlement · regulator settlements went to governments, not individuals

What Happened and What Was Exposed

In its 2020 ransomware attack, an intruder had access to Blackbaud's environment from roughly February to May 2020 before being discovered. Blackbaud began notifying its customer organizations in mid-August 2020, and those organizations then notified their own constituents. According to regulators, the exposed data included names, contact and demographic information, and donation history, and for some individuals Social Security numbers, bank or financial account information, and protected health information.

One point drew particular regulatory attention. The SEC's order found that Blackbaud initially told the public the attacker had not accessed bank account information or Social Security numbers, when Blackbaud's own investigators had determined that such data was in fact taken. Separately, plaintiffs alleged in the litigation that hundreds of terabytes of data were exfiltrated and that the putative class numbered around 1.5 billion people — but those are litigation estimates, not confirmed counts. The one figure regulators confirmed is that more than 13,000 customer organizations were affected; the precise number of individuals was never officially quantified.

Why the Consumer Class Was Denied

This case matters as much for how it turned out procedurally as for the breach itself. After surviving an early motion to dismiss in 2021, the plaintiffs moved to certify a class. In May 2024, Judge Anderson denied certification, finding the plaintiffs had not shown an administratively feasible way to identify the members of a class they estimated at roughly 1.5 billion people, and excluding the plaintiffs' proposed identification method as unreliable. The court later denied a renewed attempt to certify.

The practical result: there is no certified consumer class. The remaining claims are being pursued individually by a group of named plaintiffs, rather than on behalf of everyone whose data was exposed. That is very different from a case marching toward a class-wide settlement — and it is the main reason there is no class-wide claims process for the general public.

Regulators Settled — Consumers Did Not

While the private class case stalled at certification, government enforcers reached their own resolutions. None of them is a consumer claim fund:

Multistate Attorneys General settlement (~$49.5 million, October 2023): Blackbaud agreed to pay $49.5 million to 49 states and the District of Columbia and to overhaul its security. The money goes to the states, not to individuals.
SEC penalty ($3 million, March 2023): A civil penalty for misleading disclosures about the attack. It is paid to the government, and consumers do not file a claim under it.
FTC order (2024): Requires Blackbaud to delete data it no longer needs and to build a comprehensive security program. There is no monetary penalty and no consumer payment.

In short: regulators have resolved their matters, but the private consumer class action has not produced a settlement or a claim form.

Who Is Affected and What You Can Do

The affected population is people whose personal data was held inside a Blackbaud client organization's database — donors, hospital and foundation supporters, patients, students, and alumni of the 13,000-plus affected nonprofits, schools, universities, and healthcare foundations. Most were notified by the client organization (or by Blackbaud) starting in mid-August 2020.

• Keep any breach notice you received — it identifies which organization held your data and what was exposed.
• Consider a free credit freeze and fraud alerts, and monitor your financial accounts.
• Because the case is not proceeding as a consumer class, there is no class-wide claim to file; be skeptical of any "Blackbaud claim form" aimed at the general public.

For breach settlements that are open and claimable now, see OCA's data breach settlements tracker.

Frequently Asked Questions

Is there a Blackbaud settlement for consumers?

No consumer class settlement or claim form exists. The court denied class certification in May 2024, and the case is proceeding individually. The ~$49.5M multistate settlement, the SEC penalty, and the FTC order are government resolutions, not consumer payouts.

What was exposed?

Names, contact and demographic data, and donation history, and for some people Social Security numbers, bank or financial account information, and health data. More than 13,000 client organizations were affected.

Do I need to file a claim?

No. There is no consumer class claim to file. Keep any breach notice you received and monitor your accounts. If any future settlement opens a claims process, it would be announced separately.

Sources

• Judicial Panel on Multidistrict Litigation — transfer order creating MDL No. 2972 (Dec. 15, 2020), via GovInfo: JPML Transfer Order
• Justia Dockets — In re Blackbaud, Inc., Customer Data Security Breach Litigation, MDL No. 2972 (D.S.C.): Justia Docket (MDL 2972)
• U.S. Securities and Exchange Commission — $3 million penalty for misleading disclosures (Mar. 9, 2023): SEC Press Release 2023-48
• Virginia Attorney General — $49.5 million multistate settlement with Blackbaud (Oct. 5, 2023): Virginia AG Press Release


For more class actions keep scrolling below.
Status In Litigation — Class Certification Denied (individual claims proceeding)
Case In re Blackbaud, Inc., Customer Data Security Breach Litigation
MDL Number MDL No. 2972 · No. 3:20-mn-02972
Court U.S. District Court, District of South Carolina · Judge Joseph F. Anderson Jr.
Consolidated December 15, 2020 · breach disclosed mid-2020

Related Data Breach Cases & Settlements