Attorney General Kathy Jennings announced today a $150 million multistate settlement in principle with opioid manufacturer Hikma Pharmaceuticals (Hikma) for its role in fueling the opioid crisis. Hikma produces a range of generic opioid products and sells hundreds of millions of opioid doses every year. The attorneys general allege that from 2006 to 2021, Hikma failed to monitor and report suspicious opioid orders from potentially illegal distributors, even while its personnel knew their systems to monitor suspicious orders were inadequate and prone to failure. The settlement will provide $115 million in cash and $35 million in opioid addiction treatment medication to resolve claims brought by states and local communities against Hikma. States that do not accept the medication will receive cash in lieu of product.

“Hikma contributed to an ongoing crisis that has claimed thousands of Delawareans’ lives,” said Attorney General Jennings. “Now they’re being held accountable. The funds from this settlement will go towards our efforts to support recovery and abatement efforts in Delaware and to reverse some of the damage that Big Pharma has done to our communities.”

As part of the settlement in principle, Hikma will pay $150 million to participating states and localities, encompassing $115 million in cash and $35 million worth of opioid addiction treatment medication. 

The settlement in principle was negotiated by the attorneys general of New York, California, Delaware, Tennessee, Utah, and Virginia in coordination with an executive committee consisting of the attorneys general of Colorado, Idaho, Illinois, Massachusetts, North Carolina, Ohio, and Oregon.  

Attorney General Jennings joined a multistate coalition of attorneys general announcing a $10 million settlement with payment processor ACI Worldwide over a 2021 testing error that led to the attempted unauthorized withdrawal of $2.3 billion from the accounts of mortgage-holders.

This case was investigated and negotiated with the state financial regulators. The state regulators have entered into a separate agreement with ACI for an additional $10 million.

ACI Payments, a subsidiary of ACI Worldwide Corp., is a payment processor for a variety of third-party clients, including mortgage servicers. Nationstar Mortgage, known publicly as Mr. Cooper, offered ACI’s Speedpay product to its customers so they could schedule and electronically pay their monthly mortgage payments through the Automated Clearing House (ACH) system. On April 23, 2021, ACI was testing the Speedpay platform when it erroneously submitted live Mr. Cooper consumer data into the ACH system. This resulted in ACI erroneously attempting to withdraw mortgage payments from hundreds of thousands of Mr. Cooper customers on a day that was not authorized or expected. In many cases, consumers were subjected to the attempted withdrawal of multiple mortgage payments from their personal bank accounts. While the vast majority of withdrawals did not ultimately go through or were reversed, 1.4 million transactions totaling $2.3 billion were processed, impacting 477,000 Mr. Cooper customers. While ACI took corrective steps to minimize the impact of the testing error, in some cases consumers were not able to access the money at issue and were forced to incur overdraft or insufficient funds fees. Impacted consumers have received restitution from ACI and through other related settlements.

“This was excellent work on the part of our office and our partners,” said Attorney General Jennings. “We will continue to honor our commitment to protecting our community; if companies doing business in Delaware harm consumers, they will pay a price.”

The investigation determined that the April 2021 incident was possible due to significant defects in ACI’s privacy and data security procedures and technical infrastructure related to the Speedpay platform. In addition to the $20 million payment to the states, today’s settlement requires ACI to take steps to avoid any future incidents, including requiring ACI to use artificially created data rather than real consumer data when testing systems or software, and requiring ACI to segregate any testing or development work from its consumer payment systems.

This matter was handled for the Delaware Department of Justice by the Fraud and Consumer Protection Division’s Consumer Protection Unit.

Attorney General Jennings announced today that Delaware, along with 32 other attorneys general, has reached a settlement with healthcare clearinghouse Inmediata for a coding issue that exposed the protected health information (“PHI”) of approximately 1.5 million consumers for almost three years. Under the settlement, Inmediata has agreed to overhaul its data security and breach notification practices and make a $1.4 million payment to states. Delaware will receive $15,470 from the settlement.

As a healthcare clearinghouse, Inmediata facilitates transactions between healthcare providers and insurers across the United States. On January 15, 2019, the U.S. Department of Health & Human Services’ Office of Civil Rights alerted Inmediata that PHI maintained by Inmediata was available online and had been indexed by search engines. As a result, sensitive patient information could be viewed through online searches, and potentially downloaded by anyone with access to an internet search engine.

Although Inmediata was alerted to the breach on January 15, 2019, Inmediata delayed notification to impacted consumers for over three months and sent misaddressed notices. Further, the notices were far from clear—many consumers complained that without sufficient details or context, they had no idea why Inmediata had their data, which may have caused recipients to dismiss the notices as illegitimate.

Today’s settlement resolves allegations of the attorneys general that Inmediata violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security, including failing to conduct a secure code review at any point prior to the breach, and then failing to provide affected consumers with timely and complete information regarding the breach, as required by law.

Under the settlement, Inmediata has agreed to strengthen its data security and breach notification practices going forward, including implementation of a comprehensive information security program with specific security requirements include code review and crawling controls, development of an incident response plan including specific policies and procedures regarding consumer notification letters, and annual third-party security assessments for five years.

This matter was handled for the Delaware Department of Justice by the Fraud and Consumer Protection Division’s Consumer Protection Unit. Additional information regarding data security breaches can be found on the Department of Justice’s website.

Attorney General Jennings announced today that Delaware has reached a multistate settlement with software company Blackbaud for its deficient data security practices and response to a 2020 ransomware event that exposed the personal information of millions of consumers across the United States. Under the settlement, Blackbaud has agreed to overhaul its data security and breach notification practices and make a $49.5 million payment to the states. Delaware will receive $380,662 from the settlement. 

“This settlement underscores our commitment to protecting Delaware’s citizens, particularly the most vulnerable, and holding software companies accountable for breaches of customer data and vulnerabilities in their services,” stated Attorney General Jennings. “This office will continue to hold these businesses accountable.” 

Blackbaud provides software to various nonprofit organizations, including charities, higher education institutions, K-12 schools, healthcare organizations, religious organizations, and cultural organizations. Blackbaud’s customers use Blackbaud’s software to connect with donors and manage data about their constituents, including contact and demographic information, Social Security numbers, driver’s license numbers, financial information, employment and wealth information, donation history, and protected health information. This type of highly sensitive information was exposed during the 2020 data breach, which impacted over 13,000 Blackbaud customers and their respective consumer constituents. 

This settlement resolves allegations of the attorneys general that Blackbaud violated state consumer protection laws, breach notification laws, and HIPAA by failing to implement reasonable data security and remediate known security gaps, which allowed unauthorized persons to gain access to Blackbaud’s network, and then failing to provide its customers with timely, complete, or accurate information regarding the breach, as required by law. As a result of Blackbaud’s actions, notification to the consumers whose personal information was exposed was significantly delayed or never occurred at all insofar as Blackbaud downplayed the incident and led its customers to believe that notification was not required. 

Under the settlement, Blackbaud has agreed to strengthen its data security and breach notification practices going forward, including: 

• Prohibition against misrepresentations related to the processing, storing, and safeguarding of personal information; the likelihood that personal information affected by a security incident may be subject to further disclosure or misuse; and breach notification requirements under state law and HIPAA. 

• Implementation and maintenance of incident and breach response plans to prepare for and more appropriately respond to future security incidents and breaches. 

• Breach notification provisions that require Blackbaud to provide appropriate assistance to its customers and support customers’ compliance with applicable notification requirements in the event of a breach. 

• Security incident reporting to the CEO and Board, enhanced employee training, and appropriate resources and support for cybersecurity. 

• Personal information safeguards and controls requiring total database encryption and dark web monitoring. 

• Specific security requirements with respect to network segmentation, patch management, intrusion detection, firewalls, access controls, logging and monitoring, and penetration testing. 

• Third-party assessments of Blackbaud’s compliance with the settlement for 7 years.  

This matter was handled for the Delaware Department of Justice by the Fraud and Consumer Protection Division’s Consumer Protection Unit. Additional information regarding data security breaches can be found on the Department of Justice’s website. Delaware consumers with additional questions regarding the Blackbaud data breach or how their data may have been impacted may contact Delaware’s Consumer Protect Unit at (302) 683-8800 or (800) 220-5424.