Insurers just scored a major win in the long-running legal fallout from the 2020 Blackbaud ransomware attack.
On February 13, 2026, the Delaware Supreme Court reversed a lower court's dismissal of subrogation claims brought by a group of insurers against Blackbaud, Inc., the software application and data hosting provider whose major data breach exposed confidential information belonging to dozens of nonprofit and educational organizations.
The ruling, issued en banc in Travelers Casualty and Surety Company of America, and Philadelphia Indemnity Insurance Company, Acadia Insurance Company, and Union Insurance Company v. Blackbaud, Inc. (C.A. No. 193, 2025; C.A. No. 198, 2025), sends the case back to the Superior Court and opens the door for insurers to pursue recovery of more than $2.1 million paid out to 97 policyholders.
In 2020, a cyberattacker infiltrated Blackbaud's systems for several months and exfiltrated confidential customer data, including names, Social Security numbers, financial information, and medical information. Blackbaud initially told its clients that "no action is required on your end because no personal information about your constituents was accessed." It later disclosed the cybercriminal may have accessed some unencrypted fields intended for bank account information, Social Security numbers, usernames and/or passwords.
The company agreed to pay a $3 million fine to the SEC for misleading disclosures and paid $49 million to resolve state law claims brought by attorneys general of all 50 states.
Under identical Solutions Agreements governed by New York law, Blackbaud had agreed to maintain administrative, physical, and technical safeguards, keep commercially reasonable information security procedures and standards in place, have a breach response plan ready, and provide 72-hour notice of any breach. Instead, the insureds alleged, Blackbaud failed to conduct an adequate investigation and shifted the burden onto them, handing out a "Toolkit" with instructions to complete their own investigations.
Philadelphia Indemnity paid over $600,000 and Travelers paid over $1.5 million to cover those expenses. The insurers then sued as subrogees and assignees to recover what they had paid out.
The Superior Court tossed the amended complaints with prejudice, ruling the insurers needed to plead individualized facts for each insured rather than presenting claims in the aggregate.
The Supreme Court saw it differently. It found the insurers had identified each insured, the common contract, the shared bases for the breaches, and the same or similar damages. Blackbaud controlled its own information technology systems and knew what was accessed. As for proximate cause, the court held that question is ordinarily one for the trier of fact, not a reason to throw out a case at the pleading stage.
The case now heads back to the Superior Court for further proceedings.
