Pediatric mental health provider Brightline warns patients it suffered a data breach affecting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its file-sharing platform secure Fortra GoAnywhere MFT.
Brightline is a mental and behavioral health provider offering virtual counseling for children, teens and their families.
In a new “data security notice” posted on the company’s website, Brightline confirmed that data was stolen from its GoAnywhere MFT service containing protected health information.
These attacks were carried out by the Clop ransomware gang, which used a zero-day vulnerability identified as CVE-2023-0669 to would have stolen the data of 130 companies.
According to Fortra latest update of its investigationthreat actors started exploiting this vulnerability since January 18, 2023.
Brightline was listed on Clop’s extortion portal on March 16, 2023, indicating that the healthcare startup was among the companies ransomware actors breached in their large-scale attack.
The company’s internal investigation revealed that the data stolen by the Clop ransomware gang included the following personal information:
- Full names
- Physical addresses
- Date of birth
- Member ID numbers
- Health plan coverage date
- Names of employers
The advisory clarifies that the credentials of Aetna members were not compromised as a result of this incident.
“As soon as we became aware of the incident, we took immediate action to investigate confirming that Fortra had disabled the unauthorized user’s credentials, disabled the service and rebuilt our version so that it does not be more vulnerable,” it read. Brightline Safety Notice.
“In addition, we have implemented additional security measures, including limiting continued access to verified users, deleting all of our data from the service, and continuing with ongoing measures to reduce data exposure until an alternative file transfer solution is identified and implemented.”
Brightline’s extensive partnerships with health institutes and corporations in the United States resulted in a security incident affecting numerous entities. This includes well-known organizations such as Diageo, Nintendo of America Inc., Harvard University, Stanford University, and Boston Children’s Hospital.
The complete list of impacted entities can be found here.
Data released today on the U.S. Department of Health and Human Services Breach Portal indicates that the incident has reached a total of 783,606 people.
However, this figure may increase as internal investigations progress. Brightline submitted only eight individual entries on the government portal, presumably corresponding to eight affected entities, but its website lists a larger number of affected organizations.
Brightline is offering everyone affected two years of free identity theft and credit monitoring services through Cyberscout.