Brightline, a startup pediatric behavioral health provider, has issued a notice regarding a data security incident involving its third-party vendor, Fortra. The incident has affected a limited amount of protected health information of individuals associated with certain entities referred to as “Covered Entities.” The notice aims to inform impacted individuals about the nature of the incident and the actions taken by Brightline in response.
Fortra is a provider of file transfer services known as GoAnywhere MFT (Managed File Transfer) Software-as-a-Service. Brightline received information from the Covered Entities concerning the eligibility of certain individuals for its services, and this information was stored in Brightline’s account with Fortra.
On January 30, 2023, Fortra became aware of suspicious activity within certain instances of its GoAnywhere MFT service. Through its investigation, Fortra identified a previously unknown vulnerability that had been exploited by an unauthorized party to gain access to certain Fortra customers’ accounts and download files, including those belonging to Brightline.
Upon being informed of the security vulnerability in Fortra’s GoAnywhere MFT service on February 4, 2023, Brightline took swift action in response. The company determined that the incident was limited solely to the Fortra service and did not impact Brightline’s own network. Fortra also promptly notified law enforcement and is cooperating with their investigation of the incident.
Subsequently, Brightline determined that the unauthorized party had acquired certain files stored in the Fortra service. The company analyzed the files to identify affected individuals and the types of data involved. The analysis revealed that the files contained a limited amount of protected health information, potentially including individuals’ names, addresses, dates of birth, member identification numbers, dates of health plan coverage, and/or employer names. A small number of Social Security Numbers were also exposed, but most individuals’ Social Security Numbers were not affected.
Upon becoming aware of the incident, Brightline took immediate action by confirming that Fortra had deactivated the unauthorized user’s credentials, turned off the service, and rebuilt its version to eliminate the vulnerability. Brightline also implemented additional security measures, including limiting ongoing access to verified users, removing all of its data from the service, and continuing to reduce data exposure until an alternative file transfer solution is identified and implemented.
Starting on April 7, 2023, Brightline is providing notice of Fortra’s incident to affected individuals. Those impacted are being offered two years of complimentary identity theft and credit monitoring services through Cyberscout. A hotline has been established to address questions related to the incident, and Brightline has advised impacted individuals of steps they can take to further protect themselves.
If you suspect that you have fallen victim to identity theft or have reason to believe that your personal information has been misappropriated, it is essential to take prompt action by reaching out to the appropriate authorities. Specifically, you should contact the Federal Trade Commission (FTC) as well as the Attorney General’s office in your state of residence. Additionally, contacting local law enforcement agencies is advisable. These agencies can offer guidance and assistance in addressing the situation and provide information on measures you can take to prevent or mitigate the risks associated with identity theft.