Brightline, a health provider started notifying at least 783,638 patients and 60 of its connected vendors that their data was accessed and exfiltrated by threat actors during a hack of its Fortra GoAnywhere MFT in January.
Clop already claimed to have hacked Brightline as far back as March, when the actors added the company to its dark web site, claiming to have stolen the data tied to at least 63,000 children. Those details were not included in the notice. The breach was reported to the Department of Health and Human Services in nine separate filings. Blue Shield of California, which invested in Brightline, previously issued a similar notice.
The Brightline notification mirrors these earlier notices: that Fortra “was made aware of suspicious activity within certain instances of its GoAnywhere MFT service” in January. An investigation found a previously unknown vulnerability that allowed an attacker to access certain customer accounts and download files.
Brightline was notified of the vulnerability in February and launched a review, which confirmed the access to its Fortra service. While its network was not hacked, the threat actors were able to acquire certain files saved in the platform.
The delay in notifying patients outside of the 60-day requirement of the HIPPA tied to the analysis of the accessed files. The data varied by patient but could include names, contact information, dates of birth, member identification numbers, dates of plan coverage, and/or employer names.
Fortra has deactivated the hacker’s credentials, turned off the service, and rebuilt Brightline’s version of the platform to remove the vulnerability. Brightline bolstered its own security, as well, which included limiting ongoing access to verified users, removing all data from the service, and reducing data exposure until the shift to an alternative file transfer service.
The GoAnywhere hack similar to Accellion File transfer hack has affected companies in a range of sectors, including Nintendo of America, Washington Trust Bank, Boston Children’s Hospital, and a host of others.