Pediatric mental health provider Brightline has issued a warning to patients about a data breach affecting 783,606 people. The breach occurred after a ransomware gang exploited a zero-day vulnerability (CVE-2023-0669) in the company's Fortra GoAnywhere MFT secure file-sharing platform. Brightline provides virtual counseling services for children, teenagers, and their families.
In a 'data security notice' posted on its website, Brightline confirmed that protected health information was stolen from its GoAnywhere MFT service. The Clop ransomware gang carried out the attacks, using the CVE-2023-0669 vulnerability to allegedly steal data from 130 companies. Fortra's latest update on its investigation revealed that the threat actors began exploiting this vulnerability on January 18th, 2023.
Brightline was listed on Clop's extortion portal on March 16th, 2023, suggesting that the health startup was among the companies breached by the ransomware group in their large-scale attack. The company's internal investigation found that the stolen data included personal information, but clarified that Aetna member IDs were not compromised in the incident.
In response to the breach, Brightline stated: "As soon as we became aware of the incident, we took immediate action to investigate it by confirming Fortra deactivated the unauthorized user's credentials, turned off the service, and rebuilt our version so it was no longer vulnerable." The company also implemented additional security measures, such as limiting access to verified users, removing all data from the service, and working to reduce data exposure until an alternative file transfer solution is identified and implemented.
Brightline's partnerships with numerous healthcare institutes and companies in the U.S. have led to a security incident affecting many organizations. Among the impacted entities are well-known institutions like Diageo, Nintendo of America Inc., Harvard University, Stanford University, and Boston Children's Hospital. A complete list of affected entities can be found here.
According to data published on the U.S. Department of Health and Human Services breach portal, the incident has impacted a total of 783,606 people. However, this number may increase as internal investigations continue. Brightline submitted only eight individual entries on the government portal, presumably corresponding to eight affected entities, but its website lists a larger number of impacted organizations.
To assist those affected, Brightline is offering two years of complimentary identity theft and credit monitoring services through Cyberscout.