Brightline data breach impacts 783K pediatric mental health patients

Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.

Brightline is a mental and behavioral health provider offering virtual counseling for children, teenagers, and their families. 

In a new ‘data security notice’ displayed on the company’s website, Brightline confirmed that data was stolen from its GoAnywhere MFT service that contained protected health information.

These attacks were conducted by the Clop ransomware gang, who utilized a zero-day vulnerability tracked as CVE-2023-0669 to .

According to Fortra’s , the threat actors began leveraging this vulnerability since January 18th, 2023.

Brightline was listed on Clop’s extortion portal on March 16th, 2023, indicating that the health startup was among the firms the ransomware actors breached in their large-scale attack.

The company’s internal investigation revealed that the data stolen by the Clop ransomware gang included the following personal information:

  • Full names
  • Physical addresses
  • Dates of birth
  • Member identification numbers
  • Date of health plan coverage
  • Employer names

The notice clarifies that Aetna member IDs have not been compromised due to this incident.

“As soon as we became aware of the incident, we took immediate action to investigate it by confirming Fortra deactivated the unauthorized user’s credentials, turned off the service, and rebuilt our version so it was no longer vulnerable,” reads .

“Further, we implemented additional security measures, including limiting ongoing access to verified users, removing all of our data from the service, and continuing ongoing measures to reduce data exposure until an alternative file transfer solution is identified and implemented.”

Brightline’s extensive partnerships with healthcare institutes and companies in the U.S. has resulted in a security incident impacting many entities. This includes well-known organizations like Diageo, Nintendo of America Inc., Harvard University, Stanford University, and Boston Children’s Hospital.

The complete list of impacted entities .

Data published today on the breach portal of the U.S. Department of Health and Human Services indicates that the incident has .

However, this figure may increase as internal investigations progress. Brightline only submitted eight individual entries on the government portal, presumably corresponding to eight affected entities, but its website lists a more significant number of impacted organizations.

Brightline offers all impacted individuals two years of complimentary identity theft and credit monitoring services via Cyberscout.