Nonprofit & Charity Data Breaches
Most people give to nonprofits to make a difference, not to have their personal data exposed. According to a 2023 report, approximately 27% of nonprofit organizations worldwide experienced a cyberattack in the previous year. These incidents often enable hackers or unauthorized third parties to access sensitive information, including donor and volunteer details, financial data, and even medical records.
- November 15, 2025
This trend puts anyone who shares their information with a nonprofit at risk of identity theft and financial loss. If you or a loved one has suffered harm due to a nonprofit or charity data breach and you are unsure what to do next, Class Action U can help you seek accountability and compensation.
Why Nonprofits and Charities Are Prime Targets for Data Breaches
Nonprofits face many of the same security threats as large corporations, but with far fewer resources to fight them. Hackers often see these organizations as easy targets because they handle valuable personal data but lack the funding and staff to fully secure it.
Limited Cybersecurity Resources and Budget Constraints
Most nonprofits operate on tight budgets and focus their funds on public services rather than technology upgrades. In fact, one study found that approximately 56% of non-governmental organizations lack a dedicated cybersecurity budget. Hackers are aware of this, which makes nonprofits a more attractive target for attacks.
High Volume of Sensitive Data
Nonprofits collect an enormous amount of personal information through donation forms, volunteer lists, and program applications. These records can include names, home addresses, phone numbers, credit card or bank account details, Social Security numbers, and health information. This data is highly valuable to hackers, who may sell it online, use it to steal identities, or directly access victims’ financial accounts.
Reliance on Third-Party Vendors
Many nonprofits use outside companies to help with payment processing, email marketing, and donor management systems. These services make operations easier, but they can also create more opportunities for organizations to become victims of cyberattacks. If a third-party vendor’s security is weak, the nonprofit’s stored data may be exposed in a breach.
Notable Data Breaches in the Nonprofit & Charity Sector
Data breaches have affected nonprofit organizations of every size, mission, and industry—from small community charities to large international aid groups. Millions of people have had their personal and financial details compromised in these attacks. The following are some examples of recent nonprofit or charity data breaches in the USA.
New York Blood Center Enterprises Data Breach (2025)
In September 2025, New York Blood Center Enterprises, or NYBCE, issued a notice to clinical services recipients regarding a cybersecurity incident that had occurred earlier in the year. The organization discovered the breach on January 26, 2025, and found that an unauthorized party had accessed the personal, financial, and possibly medical information for those using direct deposit.
The nonprofit’s data security breach may have affected about 200,000 patients who received services through the organization. However, NYBCE stated that it does not maintain contact information for all patients and couldn’t notify all affected individuals directly. As a result, many victims may not discover that their data has been compromised until signs of identity theft appear.
Ascension Health System Data Breach (2025)
In April 2025, Ascension began notifying patients of a data breach linked to a former business partner.
Ascension learned on December 5, 2024, that its former partner had suffered a hacking incident after unintentionally disclosing patient data to the partner. That information was likely stolen when a hacker exploited a vulnerability in third-party software to access data the partner held in its systems.
The compromised data likely included names, addresses, phone numbers, birthdates, email addresses, race and gender information, Social Security numbers, medical record numbers, and insurance details. It also included sensitive clinical information, such as patients’ diagnoses, billing codes, discharge dates, and the names of doctors and facilities from which the patient received care.
Overall, the breach affected over 437,000 people across Alabama, Michigan, Indiana, Tennessee, and Texas. Those affected are primarily patients who had previously received services at Ascension facilities in those states.
Catholic Charities of Southern Nevada Data Breach (2025)
In February 2025, Catholic Charities of Southern Nevada reported a data breach that exposed names, Social Security numbers, dates of birth, driver’s license numbers, and health information. The organization detected suspicious activity in June 2024 and hired a cybersecurity firm, which found that an unauthorized actor had accessed data stored in its network.
Easterseals Central Illinois Ransomware Attack (2024)
In October 2024, the disability nonprofit Easterseals confirmed that its Central Illinois location had experienced a ransomware attack earlier in the year. The organization first detected a network disruption on April 1, 2024, which affected access to several internal systems. A forensic investigation later determined that an unauthorized actor accessed files containing personal information.
The Rhysida ransomware group claimed responsibility for the attack, which affected 14,855 people. The compromised information included full names, addresses, Social Security numbers, driver’s license and passport details, as well as medical and health information.
The attackers demanded a $1.3 million ransom and threatened to leak the stolen data. Easterseals implemented enhanced cybersecurity measures in response to the attack.
International Committee of the Red Cross Data Breach (2022)
In January 2022, the International Committee of the Red Cross, or ICRC, determined that hackers had breached servers containing personal data from more than 515,000 vulnerable people worldwide. The attack was targeted at a Switzerland-based contractor that had stored the organization’s data.
The compromised information included names, locations, and contact details of individuals who received assistance from the Red Cross and Red Crescent Movement. Many of those affected were missing people and their families, detainees, and individuals affected by armed conflict, natural disasters, or migration. An investigation revealed that attackers had exploited an unpatched vulnerability in an authentication module. This allowed them to infiltrate the network in November 2021 and remain undetected for about 70 days.
The attackers did not demand a ransom and have not leaked or sold the data. After learning of the breach, the ICRC took the affected servers offline and implemented enhanced security measures before restoring operations. The temporary shutdown affected the organization’s ability to reunite separated family members through its Restoring Family Links operations.
Blackbaud Data Breach (2020)
In July 2020, an outside actor gained unauthorized access to the systems of Blackbaud, a fundraising software company.
The breach potentially exposed data from 13,000 nonprofit organizations, including universities, hospitals, charities, and religious institutions. It compromised sensitive details, including donor and client financial information, Social Security numbers, and health records. Investigators later found that Blackbaud had paid a ransom to the attacker in exchange for deleting the stolen data.
In 2023, the company agreed to pay $49.5 million to settle claims brought by the attorneys general of 49 states and Washington, D.C. These claims alleged that Blackbaud had downplayed the breach and failed to properly protect consumer information. While the company did not admit wrongdoing, it also paid a $3 million fine to the U.S. Securities and Exchange Commission for misleading investors about the nature of the stolen data.
Consequences of Nonprofit & Charity Data Breaches
Donors, volunteers, employees, and beneficiaries can all suffer significant consequences when a nonprofit experiences a data breach. Because nonprofits typically serve vulnerable populations, the misuse of their personal or financial information can be especially damaging. Common repercussions include:
- Identity theft: Attackers may use stolen Social Security numbers and personal identifiers to open fraudulent accounts, apply for credit under the victim’s name, or file false tax returns. This may make it harder for victims to qualify for loans, housing, or employment. Those affected may also have to spend large amounts of resources on disputing the fraud and restoring their records.
- Financial loss: After accessing exposed credit card or banking details, hackers may make unauthorized transactions or drain victims’ bank accounts. Victims may lose savings or be forced to pay back debt they never willingly took on. These losses can disrupt bill payments and cause financial instability until the funds are recovered—if recovery is even possible.
- Emotional stress: Victims who learn that their sensitive data has been stolen may experience ongoing anxiety and fear of future misuse. Monitoring accounts and responding to fraud can lead to significant psychological strain. In some cases, the exposure of personal information can also cause embarrassment or reputational harm.
Nonprofit Legal Obligations for Data Protection
Nonprofit organizations must comply with data privacy regulations that protect the information they collect from donors, volunteers, employees, and beneficiaries.
The Health Insurance Portability and Accountability Act, or HIPAA, is a key federal data breach law in the United States. HIPAA protects patients’ health information and sets national privacy standards for organizations that handle medical records. It requires covered organizations to notify affected individuals following a breach of unsecured protected health information.
Another noteworthy law is the Federal Trade Commission Act. Under the FTC Act, organizations have a duty to protect consumer data. The Federal Trade Commission may take action when organizations fail to prevent or disclose data breaches.
In addition, each U.S. state has its own breach notification rules. These laws differ significantly between states in terms of scope, timelines, and definitions of personal information.
Compensation for Victims of Data Breaches
If your information was exposed in a data breach, you may be eligible to join or pursue a class action lawsuit. This type of legal action aims to hold negligent organizations accountable for failing to protect sensitive information. When supported by strong evidence, it also helps victims recover from the harm they’ve suffered as a result of the breach.
Depending on the circumstances, the following types of compensation may be available when suing a company for a data breach:
- Costs related to identity theft protection, such as credit monitoring or fraud alerts
- Money lost from fraudulent transactions or bank account withdrawals
- Emotional distress caused by privacy violations, including stress or anxiety
- Time and expenses spent mitigating fraud risks, such as the cost of replacing identification documents or the time spent disputing fraudulent accounts
How Class Action U Can Help
Our platform helps individuals understand their rights and seek compensation after a nonprofit or charity fails to secure their data. If your personal data has been compromised in this type of incident, we can connect you with an experienced data breach lawyer who can evaluate your situation and explain your legal options.
We believe victims deserve trusted legal support to help them move forward after a breach. The right attorney can provide the advocacy needed to pursue recovery and hold negligent organizations accountable.
Consult a Data Breach Lawyer
If your personal or financial information was compromised in a nonprofit or charity data breach, speaking with a lawyer is one of the most powerful ways to protect yourself. An experienced attorney can pursue the results you deserve while you focus on rebuilding your life.
Start moving forward today with Class Action U. Fill out our online contact form to request a free, no-obligation consultation about your rights and options.