A settlement has been reached in a years-long investigation into a national data breach.

Vermont Attorney General Charity Clark, who led the case along with Indiana Attorney General Todd Rokita, says a 2020 ransomware attack on software company Blackbaud compromised the personal and private information of 15,000 Vermonters. The data breach affected over 13,000 institutions across the country, with people in New York and New Hampshire being impacted as well.

Blackbaud will pay close to $50 million to 49 states and Washington D.C. in the settlement. Vermont will receive $3 million, New York is getting $2.9 million, and $413,500 is heading to New Hampshire.

California is the one state that was not involved in the settlement.

In a conference on the announcement, Clark said, “Our investigation determined that this breach occurred because Blackbaud did not have sufficient data security practices in place, leaving open known gaps in their system that was targeted by the hacker.”

Clark also said that Blackbaud did not give customers proper notice that their data was compromised. Rather, they gave a delayed notice that she says was inaccurate, misleading, and downplayed the severity of the breach.

As part of the settlement, Blackbaud will have to make data security improvements moving forward.

According to NH Attorney General John Formella, Blackbaud provides software to nonprofits, charities, education institutions, schools, healthcare organizations, as well as religious and cultural organizations. Customers use their software to connect with donors and manage data about their constituents, including contact information, Social Security numbers, financial information, and health information.

In a statement on the settlement, Formella wrote, “In this case, we are talking about non-profit organizations being left vulnerable and in the dark about their data being jeopardized. Companies storing consumers’ data have a responsibility to not only protect it but to do the right thing when a breach occurs.”

NY Attorney General Letitia James weighed in as well, writing, “Blackbaud was supposed to safeguard the private information held by nonprofits regarding donors and customers, but instead its poor data security measures put everyone at risk.”

Clark is also bringing attention to cybersecurity awareness month this October. So far this year, 467 breaches have been reported to the Attorney General’s office, with 89,000 Vermonters affected.

She says her office is working on a data privacy bill to promote the best practices for data storage in the state.

Clark said, “Data minimization means you shouldn’t collect data you don’t need, and you shouldn’t store it longer than you need it for. Implementation of this best practice would have made a difference in this case. I believe it’s time we codify data minimization into law.”

Vermont’s Assistant Attorney General John Layman, said, “Consumers who were affected by a breach or worried about it can always contact our consumer assistance program.”