One-sentence summary:
Brightline was breached in the Clop ransomware group’s campaign against Fortra’s GoAnywhere MFT zero-day vulnerability, affecting over 783,606 pediatric patients and 58 covered entities and resulting in a class-action lawsuit.
Who was involved?
Brightline, Inc., Fortra, LLC, 783,606 pediatric patients, and the Clop ransomware group. Brightline is also associated with many covered entities (a total of 58) which they have listed as involved in the breach as well:
“Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center
Competitive Health
Diageo
Banner Corporation dba Banner Bank
Ben Bridge Jeweler, Inc
Carrix, Inc
Chelan County
Coastal Villages Region Fund
Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co
CRISTA Ministries
Edifecs, Inc.
First Security Bank of WAx
FirstFruits HoldCo, LLC
Football Northwest, LLC
Goodfellows Bros. LLC
Green Diamond Resources
Holland America Group
Insitu, Inc.
Keller Supply
KPMG LLP
Kodiak Island Borough School District
MacDonald-Miller Facility Solutions, LLC
Manke Lumber Company Inc.
Municipality of Anchorage
Nintendo of America Inc.
Northwest Cascade, Inc.
Oberto Snacks Inc.
PND Engineers, Inc.
Pyrotek Inc
Rail Management Services
Seagen Inc.
SolstenXP, Inc.
Space Needle LLC & Center Art LLC
Spokane Teachers Credit Union
Symetra Life Insurance Company
Tanana Chiefs Conference
Undead Labs
University of Alaska
Walla Walla University
Washington Trust Bank
Whitman College
Alaska Central Express, Inc DBA Ace Air Cargo
Alaska Hotel Properties LLC
Alaska Railroad Corporation
ASML
MIIA
HARVARD UNIVERSITY FACULTY AND STAFF (HUFS)
HARVARD UNIVERSITY (HUGHP)
BOSTON CHILDRENS HOSPITAL
BLUE CROSS BLUE SHIELD OF MASS
VERTEX
SOUTH SHORE HEALTH
IUOE
The Board of Directors of the Leland Stanford Junior University (Educated Choices)
Stanford University Post-doctoral Scholars
Stanford Health Care – ValleyCare Employee Health Care Plan
Stanford Health Care Employee Health and Welfare Benefit Plan
Stanford Medicine Partners Employee Health and Welfare Benefit Plan” (Brightline, 2023b)
What was the timeline?
January 30, 2023: Brightline is breached as a part of the GoAnywhere campaign by the Clop ransomware group
February 4, 2023: Brightline discovers the data breach from Fortra
April 7, 2023: Brightline begins consumer notification
May 2, 2023: Class-action lawsuit is filed against Brightline in the federal Northern District of California (Rosa et al v. Brightline, Inc., 2023)
May 3, 2023: The Clop ransomware group tells Bleeping Computer they deleted the data (Toulas, 2023)
What occurred?
Brightline, a pediatric mental health services startup, was breached in the Clop ransomware group’s campaign against Fortra’s GoAnywhere MFT solution, potentially exposing the following sensitive data for at least 783,606 individuals (primarily pediatric patients): “limited amount of protected health information/personal information” with “some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names” (Brightline, 2023a; HHS, 2023). Over 58 covered entities are implicated (Brightline, 2023b). The Clop ransomware group ultimately reached out to Bleeping Computer expressing an apology and a statement that they deleted the data belonging to Brightline (Toulas, 2023). Ultimately, Bleeping Computer confirmed the data was removed from Clop’s leak portal (Toulas, 2023). This did not stop a federal, class-action lawsuit from being filed in the Northern District of California against Brightline (Rosa et al v. Brightline, Inc., 2023).
Estimated costs:
Incident response costs, breach notification costs, 2 years of identity theft services from Cyberscout
Involved laws:
Federal: HIPAA, HITECH, and COPPA
State: California CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
The zero-day, remote code execution vulnerability in Fortra’s GoAnywhere MFT solution (CVE-2023-0669) (Brightline, 2023a)
Lessons learned:
TBA or N/A (see disclaimer) (GoAnywhere is marketed as a HIPAA and HITECH-compliant SFTP solution) (Fortra, n.d.).
Sources:
Brightline. (2023a, April 7). Notice of Fortra Data Security Incident. Virtual Mental Health Care for Kids and Teens | Brightline. Retrieved May 4, 2023, from https://www.hellobrightline.com/fortra-data-notice
Brightline. (2023b, April 7). Virtual Mental Health Care for Kids and Teens | Brightline. hellobrightline.com. Retrieved May 4, 2023, from https://www.hellobrightline.com/list-of-impacted-covered-entities
Brightline (Bleeping Computer). (2023, May 3). brightline-header.jpg. bleepstatic.com. https://www.bleepstatic.com/content/posts/2023/05/03/brightline-header.jpg
Fortra. (n.d.). HIPAA & HITECH Compliant File Transfers. goanywhere.com. Retrieved February 16, 2023, from https://www.goanywhere.com/solutions/compliance/hipaa-hitech
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 4, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Rosa et al v. Brightline, Inc., Docket No. 4:23-cv-02132 (N.D. Cal. May 02, 2023), Court Docket
Toulas, B. (2023, May 3). Brightline data breach impacts 783K pediatric mental health patients. BleepingComputer. https://www.bleepingcomputer.com/news/security/brightline-data-breach-impacts-783k-pediatric-mental-health-patients/