Healthcare
,
Industry Specific
,
Litigation
Breach of GoAnywhere File Transfer App at Brightline Affected 1 Million Patients
Virtual mental health provider Brightline has agreed to pay $7 million to settle a proposed federal class action lawsuit involving a 2023 data breach affecting about 1 million people. The incident stemmed from ransomware gang Clop’s exploit of a zero-day vulnerability in software vendor Fortra’s GoAnywhere managed file transfer application.
See Also: Advancing Cyber Resiliency With Proactive Data Risk Reduction
Palo Alto, Calif.-based Brightline provides virtual behavioral health coaching and therapy for families with children ages 18 months to 17 years (see: Health Plan, Mental Health Provider Hit by GoAnywhere Flaw).
The settlement, approved Tuesday by a Florida federal judge, provides up to $5,000 to each class member for eligible claims of documented losses – such as identity theft and fraud – related to the incident. As an alternative, class members can choose a flat $100 cash payment.
In addition, California settlement subclass members may also make a claim for the California Statutory Award in the amount of $100.
Class members can also claim three years of complimentary credit monitoring, or one additional year if a settlement class member previously accepted Brightline’s earlier offer of two years of coverage.
Attorneys representing the plaintiffs and class members in the Brightline case are slated to receive up to 33% of the settlement fund, or about $2.3 million in fees and expenses.
Litigation Details
Among other allegations, the amended consolidated complaint against Brightline claimed negligence in the organization’s failure to safeguard sensitive information of its customers and violations of California’s consumer privacy and unfair competition laws.
Under the settlement, Brightline denies all allegations and claims of wrongdoing and liability.
At the center of the Brightline breach was the January 2023 theft of private information belonging to the lawsuit’s plaintiffs and approximately 1 million other people as a result of unauthorized access to the Fortra GoAnywhere MFT application that Brightline used, the complaint said.
In the incident, Russian-speaking digital extortion group Clop, aka CL0P, exploited a zero-day vulnerability in the software to steal data from what the gang claimed were more than 130 victims over the course of 10 days.
Information potentially contained in the files acquired by the hackers included individuals’ name, address, member ID, date of birth, phone number, employer’s name and group ID number, and health plan coverage start/end dates, and Social Security numbers, the lawsuit against Brightline alleges.
The proposed class action lawsuit against Brightline is part of litigation across multiple court districts against several other breached organizations similarly affected by the GoAnywhere hack.
Those other cases are centralized in the U.S District Court for the Southern District of Florida and divided into several tracks, including a track containing the Brightline litigation.
“By remaining in the settlement class, you will not be releasing any claims relating to any such other entities,” said a notice posted on the Brightline settlement website.
Most of the other related consolidated lawsuits involving the Fortra hack are still pending in court (see: Fortra GoAnywhere Data Breach Lawsuits Get Consolidated).
“Private class action plaintiffs are the most active and fearsome health information privacy enforcers,” said regulatory attorney Paul Hales of the Hales Law Group. “They likely will have a much more significant role now because the Trump administration is modifying federal agency enforcement.”
Neither Fortra nor attorneys representing Brightline immediately responded to Information Security Media Group’s requests for comment on the lawsuit and the settlement.
Fortra was not the only managed filed transfer software vendor attacked by Clop in recent years. The group has also launched supply chain attacks against at least three other managed file transfer software platforms built by Accellion, Serv-U and Progress Software’s MOVEit (see: Hackers Hit Secure File Transfer Software Again and Again).