Brightline data breach impacts 783K pediatric mental health patients – Source: www.bleepingcomputer.com

Pediatric mental health provider Brightline is warning patients that it suffered a data breach impacting 783,606 people after a ransomware gang stole data using a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.

Brightline is a mental and behavioral health provider offering virtual counseling for children, teenagers, and their families. 

In a new ‘data security notice’ displayed on the company’s website, Brightline confirmed that data was stolen from its GoAnywhere MFT service that contained protected health information.

These attacks were conducted by the Clop ransomware gang, who utilized a zero-day vulnerability tracked as CVE-2023-0669 to allegedly steal data from 130 companies.

According to Fortra’s latest update on its investigation, the threat actors began leveraging this vulnerability since January 18th, 2023.

Brightline was listed on Clop’s extortion portal on March 16th, 2023, indicating that the health startup was among the firms the ransomware actors breached in their large-scale attack.

The company’s internal investigation revealed that the data stolen by the Clop ransomware gang included the following personal information:

• Full names
• Physical addresses
• Dates of birth
• Member identification numbers
• Date of health plan coverage
• Employer names

The notice clarifies that Aetna member IDs have not been compromised due to this incident.

“As soon as we became aware of the incident, we took immediate action to investigate it by confirming Fortra deactivated the unauthorized user’s credentials, turned off the service, and rebuilt our version so it was no longer vulnerable,” reads Brightline’s security notice.

“Further, we implemented additional security measures, including limiting ongoing access to verified users, removing all of our data from the service, and continuing ongoing measures to reduce data exposure until an alternative file transfer solution is identified and implemented.”

Brightline’s extensive partnerships with healthcare institutes and companies in the U.S. has resulted in a security incident impacting many entities. This includes well-known organizations like Diageo, Nintendo of America Inc., Harvard University, Stanford University, and Boston Children’s Hospital.

The complete list of impacted entities can be found here.

Data published today on the breach portal of the U.S. Department of Health and Human Services indicates that the incident has impacted a total of 783,606 people.

However, this figure may increase as internal investigations progress. Brightline only submitted eight individual entries on the government portal, presumably corresponding to eight affected entities, but its website lists a more significant number of impacted organizations.

Brightline offers all impacted individuals two years of complimentary identity theft and credit monitoring services via Cyberscout.

Update 5/3/23: After the publication of this article, the Cl0p ransomware operation emailed BleepingComputer to say they deleted Brightline’s data from their data leak site.

“We delete the data and we did not know what this company is doing, because not all companies are analyzing. And we ask for forgiveness for this incident,” Clop emailed BleepingComputer.

While we have no way determining if they actually deleted all of the data in their possession, BleepingComputer can confirm that Brightline is no longer listed on the gang’s data leak site.