{"id":721,"date":"2023-05-04T22:32:22","date_gmt":"2023-05-05T03:32:22","guid":{"rendered":"https:\/\/kentprotect.com\/?p=721"},"modified":"2023-05-04T22:55:22","modified_gmt":"2023-05-05T03:55:22","slug":"breach-report-brightline-pediatric-startup-breached-783000-affected","status":"publish","type":"post","link":"https:\/\/kentprotect.com\/index.php\/2023\/05\/04\/breach-report-brightline-pediatric-startup-breached-783000-affected\/","title":{"rendered":"Breach Report: Brightline, pediatric startup, breached, 783,000+ affected"},"content":{"rendered":"
<\/div>\n

One-sentence summary: <\/strong><\/p>\n\n\n\n

Brightline was breached in the Clop ransomware group’s campaign against Fortra’s GoAnywhere MFT zero-day vulnerability, affecting over 783,606 pediatric patients and 58 covered entities and resulting in a class-action lawsuit. <\/p>\n\n\n\n

Who was involved?<\/strong><\/p>\n\n\n\n

Brightline, Inc., Fortra, LLC, 783,606 pediatric patients, and the Clop ransomware group. Brightline is also associated with many covered entities (a total of 58) which they have listed as involved in the breach as well: <\/p>\n\n\n\n

“Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center<\/p>\n\n\n\n

Competitive Health<\/p>\n\n\n\n

Diageo<\/p>\n\n\n\n

Banner Corporation dba Banner Bank<\/p>\n\n\n\n

Ben Bridge Jeweler, Inc<\/p>\n\n\n\n

Carrix, Inc<\/p>\n\n\n\n

Chelan County<\/p>\n\n\n\n

Coastal Villages Region Fund<\/p>\n\n\n\n

Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co<\/p>\n\n\n\n

CRISTA Ministries<\/p>\n\n\n\n

Edifecs, Inc.<\/p>\n\n\n\n

First Security Bank of WAx<\/p>\n\n\n\n

FirstFruits HoldCo, LLC<\/p>\n\n\n\n

Football Northwest, LLC<\/p>\n\n\n\n

Goodfellows Bros. LLC<\/p>\n\n\n\n

Green Diamond Resources<\/p>\n\n\n\n

Holland America Group<\/p>\n\n\n\n

Insitu, Inc.<\/p>\n\n\n\n

Keller Supply<\/p>\n\n\n\n

KPMG LLP<\/p>\n\n\n\n

Kodiak Island Borough School District<\/p>\n\n\n\n

MacDonald-Miller Facility Solutions, LLC<\/p>\n\n\n\n

Manke Lumber Company Inc.<\/p>\n\n\n\n

Municipality of Anchorage<\/p>\n\n\n\n

Nintendo of America Inc.<\/p>\n\n\n\n

Northwest Cascade, Inc.<\/p>\n\n\n\n

Oberto Snacks Inc.<\/p>\n\n\n\n

PND Engineers, Inc.<\/p>\n\n\n\n

Pyrotek Inc<\/p>\n\n\n\n

Rail Management Services<\/p>\n\n\n\n

Seagen Inc.<\/p>\n\n\n\n

SolstenXP, Inc.<\/p>\n\n\n\n

Space Needle LLC & Center Art LLC<\/p>\n\n\n\n

Spokane Teachers Credit Union<\/p>\n\n\n\n

Symetra Life Insurance Company<\/p>\n\n\n\n

Tanana Chiefs Conference<\/p>\n\n\n\n

Undead Labs<\/p>\n\n\n\n

University of Alaska<\/p>\n\n\n\n

Walla Walla University<\/p>\n\n\n\n

Washington Trust Bank<\/p>\n\n\n\n

Whitman College<\/p>\n\n\n\n

Alaska Central Express, Inc DBA Ace Air Cargo<\/p>\n\n\n\n

Alaska Hotel Properties LLC<\/p>\n\n\n\n

Alaska Railroad Corporation<\/p>\n\n\n\n

ASML<\/p>\n\n\n\n

MIIA<\/p>\n\n\n\n

HARVARD UNIVERSITY FACULTY AND STAFF (HUFS)<\/p>\n\n\n\n

HARVARD UNIVERSITY (HUGHP)<\/p>\n\n\n\n

BOSTON CHILDRENS HOSPITAL<\/p>\n\n\n\n

BLUE CROSS BLUE SHIELD OF MASS<\/p>\n\n\n\n

VERTEX<\/p>\n\n\n\n

SOUTH SHORE HEALTH<\/p>\n\n\n\n

IUOE<\/p>\n\n\n\n

The Board of Directors of the Leland Stanford Junior University (Educated Choices)<\/p>\n\n\n\n

Stanford University Post-doctoral Scholars<\/p>\n\n\n\n

Stanford Health Care \u2013 ValleyCare Employee Health Care Plan<\/p>\n\n\n\n

Stanford Health Care Employee Health and Welfare Benefit Plan<\/p>\n\n\n\n

Stanford Medicine Partners Employee Health and Welfare Benefit Plan” (Brightline, 2023b)<\/p>\n\n\n\n

What was the timeline?<\/strong><\/p>\n\n\n\n

January 30, 2023: Brightline is breached as a part of the GoAnywhere campaign by the Clop ransomware group <\/p>\n\n\n\n

February 4, 2023: Brightline discovers the data breach from Fortra <\/p>\n\n\n\n

April 7, 2023: Brightline begins consumer notification <\/p>\n\n\n\n

May 2, 2023: Class-action lawsuit is filed against Brightline in the federal Northern District of California (Rosa et al v. Brightline, Inc.<\/em>, 2023) <\/p>\n\n\n\n

May 3, 2023: The Clop ransomware group tells Bleeping Computer they deleted the data (Toulas, 2023)<\/p>\n\n\n\n

What occurred?<\/strong><\/p>\n\n\n\n

Brightline, a pediatric mental health services startup, was breached in the Clop ransomware group’s campaign against Fortra’s GoAnywhere MFT solution, potentially exposing the following sensitive data for at least 783,606 individuals (primarily pediatric patients): “limited amount of protected health information\/personal information” with “some combination of the following data elements: individuals\u2019 names, addresses, dates of birth, member identification numbers, date of health plan coverage, and\/or employer names” (Brightline, 2023a; HHS, 2023). Over 58 covered entities are implicated (Brightline, 2023b). The Clop ransomware group ultimately reached out to Bleeping Computer expressing an apology and a statement that they deleted the data belonging to Brightline (Toulas, 2023). Ultimately, Bleeping Computer confirmed the data was removed from Clop’s leak portal (Toulas, 2023). This did not stop a federal, class-action lawsuit from being filed in the Northern District of California against Brightline (Rosa et al v. Brightline, Inc.<\/em>, 2023). <\/p>\n\n\n\n

Estimated costs:<\/strong><\/p>\n\n\n\n

Incident response costs, breach notification costs, 2 years of identity theft services from Cyberscout<\/p>\n\n\n\n

Involved laws: <\/strong><\/p>\n\n\n\n

Federal: HIPAA, HITECH, and COPPA<\/p>\n\n\n\n

State: California CCPA and Cal. Civ. Code \u00a7 1798.29(a)<\/p>\n\n\n\n

Root cause: <\/strong><\/p>\n\n\n\n

The zero-day, remote code execution vulnerability in Fortra\u2019s GoAnywhere MFT solution (CVE-2023-0669) (Brightline, 2023a)<\/p>\n\n\n\n

Lessons learned: <\/strong><\/p>\n\n\n\n

TBA or N\/A (see disclaimer) (GoAnywhere is marketed as a HIPAA and HITECH-compliant SFTP solution) (Fortra, n.d.).<\/p>\n\n\n\n

Sources: <\/strong><\/p>\n\n\n\n

Brightline. (2023a, April 7). Notice of Fortra Data Security Incident<\/em>. Virtual Mental Health Care for Kids and Teens | Brightline. Retrieved May 4, 2023, from https:\/\/www.hellobrightline.com\/fortra-data-notice<\/p>\n\n\n\n

Brightline. (2023b, April 7). Virtual Mental Health Care for Kids and Teens | Brightline<\/em>. hellobrightline.com. Retrieved May 4, 2023, from https:\/\/www.hellobrightline.com\/list-of-impacted-covered-entities<\/p>\n\n\n\n

Brightline (Bleeping Computer). (2023, May 3). brightline-header.jpg<\/em>. bleepstatic.com. https:\/\/www.bleepstatic.com\/content\/posts\/2023\/05\/03\/brightline-header.jpg<\/p>\n\n\n\n

Fortra. (n.d.). HIPAA & HITECH Compliant File Transfers<\/em>. goanywhere.com. Retrieved February 16, 2023, from https:\/\/www.goanywhere.com\/solutions\/compliance\/hipaa-hitech<\/p>\n\n\n\n

HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information<\/em>. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved May 4, 2023, from https:\/\/ocrportal.hhs.gov\/ocr\/breach\/breach_report.jsf<\/p>\n\n\n\n

Rosa et al v. Brightline, Inc., Docket No. 4:23-cv-02132 (N.D. Cal. May 02, 2023), Court Docket<\/a><\/p>\n\n\n\n

Toulas, B. (2023, May 3). Brightline data breach impacts 783K pediatric mental health patients. BleepingComputer<\/em>. https:\/\/www.bleepingcomputer.com\/news\/security\/brightline-data-breach-impacts-783k-pediatric-mental-health-patients\/<\/p>\n\n\n\n

\n