Brightline breach hits at least 964,000 people, US records show

A pediatric behavioral health startup called Brightline informed its customers that their protected health data may have been stolen as part of a separate ransomware attack on a Brightline third-party service provider. 

“Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names,” wrote Brightline in its public notice online.

Though Brightline did not disclose the number of affected customers, recently updated records with the US Department of Health and Humans Services Office of Civil Rights showed that at least 964,301 people were impacted. 

The third-party service provider at the heart of the data breach is Fortra, which was recently targeted by the Cl0p ransomware gang in a string of attacks that leveraged an undisclosed vulnerability in the file transfer software called GoAnywhereMFT, which Fortra develops and which is used by businesses worldwide. Malwarebytes Labs reported on the vulnerability in February, urging users to deploy a patch

GoAnywhere MFT, which stands for managed file transfer, allows businesses to manage and exchange files in a secure and compliant way. According to its website, it caters to more than 3,000 organizations, predominantly ones with over 10,000 employees and 1B USD in revenue.

Brightline was just one of the many victims on the list that Cl0p made using the same vulnerability. The day after the release of the GoAnywhere patch, the Clop ransomware gang contacted BleepingComputer and said they had used the flaw over ten days to steal data from 130 companies.

For many organizations, Brightline offers virtual behavioral and mental health services for the children of benefits-eligible employees. In this light, Brightline has published a list of covered entities impacted by the breach.

Interestingly, the 964,000 number released by the US government may not be complete. 

According to the online resource, by the end of May 3, 2023, the subtotal number of Brightline patients affected by the GoAnywhere incident stood at 1,081,716.

Another remarkable fact disclosed is that the listing for Brightline on Cl0p’s leak site has disappeared. This is usually an indicator that the victim has paid, but there might be something else going on in this case, since Brightline has been exemplary at providing public information and details about the breach.

Data breach

There are some actions you can take if you are, or suspect you may have been, the victim of a data breach.

  • Check the vendor’s advice. Every breach is different, so check with the vendor to find out what’s happened, and follow any specific advice they offer.
  • Change your password. You can make a stolen password useless to thieves by changing it. Choose a strong password that you don’t use for anything else. Better yet, let a password manager choose one for you.
  • Enable two-factor authentication (2FA). If you can, use a FIDO2-compliant hardware key, laptop or phone as your second factor. Some forms of two-factor authentication (2FA) can be phished just as easily as a password. 2FA that relies on a FIDO2 device can’t be phished.
  • Watch out for fake vendors. The thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims, and verify any contacts using a different communication channel.
  • Take your time. Phishing attacks often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.

According to the information provided by Brightline, no Social Security numbers or financial accounts were stolen, nor did the stolen files contain anything related to medical services, conditions, diagnoses, or claims for the plan participant or their dependent.

If you are affected by this data security incident, you should have received or will receive a letter (or letters, if you have dependents) from Brightline. Each letter will have a unique code for the member and/or dependent to register for free identity theft and credit monitoring. Brightline will also have a call center available to answer questions. More information, including frequently asked questions, is available on Brightline’s website.

Malwarebytes removes all remnants of ransomware and prevents you from getting reinfected. Want to learn more about how we can help protect your business? Get a free trial below.