Mental Health Provider Reaches $7M Settlement in Fortra Hack Lawsuit

Virtual mental health provider Brightline has reached a $7 million settlement regarding a proposed federal class action lawsuit linked to a data breach that potentially impacted around 1 million individuals. This breach was a result of the ransomware group Clop exploiting a zero-day vulnerability within Fortra’s GoAnywhere managed file transfer application in early 2023.

This incident reflects serious vulnerabilities in organizations’ cybersecurity postures, particularly in the healthcare sector. Brightline offers virtual behavioral health services for families with children ages 18 months to 17 years. The breach exposed sensitive information, including names, addresses, member IDs, and Social Security numbers.

Approved by a federal judge in Florida, the settlement allows for compensation of up to $5,000 per class member for documented losses such as identity theft or fraud. Alternatively, individuals can opt for a flat cash payment of $100. Those categorized under California’s settlement subclass may claim an additional $100 as part of the California Statutory Award. Furthermore, class members are entitled to three years of complimentary credit monitoring, extended to four years for those who previously accepted Brightline’s earlier offer of two years of coverage.

Legal representatives for the plaintiffs stand to receive up to 33% of the total settlement fund, projected at approximately $2.3 million. The complaints against Brightline included allegations of negligence and violations of California’s consumer privacy laws, asserting that the provider failed to sufficiently protect sensitive customer data.

At the core of this breach was the unauthorized access to the Fortra GoAnywhere application, which resulted in the theft of private information from the plaintiffs and approximately 1 million other individuals. The Clop group reportedly claimed responsibility for the theft of data from more than 130 organizations over a span of 10 days, utilizing the zero-day vulnerability for their attack.

According to the lawsuit, the information stolen may have encompassed a wide array of personal details, such as dates of birth, employment information, and health plan coverage details. The legal action against Brightline is part of a broader litigation landscape affecting multiple organizations compromised by the GoAnywhere breach, with cases centralized in the U.S. District Court for the Southern District of Florida.

In light of these breaches, cybersecurity experts advise organizations to prioritize vulnerability management and apply appropriate defensive measures, reflecting the tactics detailed in the MITRE ATT&CK Framework. The attack’s initial access could be attributed to exploitation techniques, while ongoing monitoring and maintaining incident response plans are crucial for preventing reoccurrences in the future.

The risks posed by ransomware as a service continue to escalate, prompting organizations to reevaluate their cybersecurity strategies and posture. As seen in this case, stringent measures are essential for mitigating the impact of such breaches and protecting sensitive data against increasingly sophisticated cyber threats.

Neither Fortra nor legal representatives for Brightline provided immediate commentary regarding the lawsuit or the settlement. Notably, Fortra is not isolated in being targeted; Clop has previously launched attacks against several other managed file transfer software platforms, emphasizing the urgent need for enhanced security practices across the industry.