$20 Million Settlement Agreed to Resolve Fortra GoAnywhere Data Breach Multidistrict Litigation
A $20 million settlement has received preliminary approval from a Federal judge to resolve multidistrict litigation against the software provider Fortra, its clients, and their customers over a 2023 hacking incident involving the Fortra GoAnywhere managed file transfer (MFT) solution. The Clop ransomware group exploited a zero-day vulnerability in the solution to gain access to customer data.
Several class action lawsuits were filed against Fortra in response to the data breach, with the settlement covering eight of nine class action lawsuits against Fortra and its healthcare clients. The lawsuits were consolidated in multidistrict litigation in February 2024 in the Southern District of Florida – In re: Fortra File Transfer Software Data Security Breach Litigation – and include claims against Fortra, NationsBenefits LLC, NationsBenefits Holdings LLC, Aetna Inc., Aetna Life Insurance Co., Santa Clara Family Health Plan, Anthem Insurance Companies Inc., Elevance Health Inc., Community Health Systems Inc., CHSPC LLC, Brightline, Imagine360, and Intellihartx LLC.
The lawsuits alleged negligence, negligence per se, breach of fiduciary duty, breach of confidence, breach of contract, breach of implied contract, and violations of the California Consumer Records Act, California Consumer Privacy Act, California unfair competition law, California Consumers Legal Remedies Act, and consumer protection laws in several other states.
A separate $7 million settlement was agreed between the plaintiffs and Brightline in July 2024, which received final approval from the Court in February 2025. Following global mediation, an agreement in principle was reached to resolve all claims against the remaining defendants. The settlement has received preliminary approval and will provide relief for approximately 5 million individuals who received notices that their data was involved.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
There are 10 subclasses in the settlement: Fortra, which comprises all members of the main settlement class and the other nine subclasses, which are for people who received notifications from Aetna, Brightline, CHS, Elevance, Imagine360, Intellihartz, NationsBenefits, Santa Clara Family Health Plan, and Hatch Bank.
Under the terms of the settlement, a $20 million fund will be established to cover claims, attorneys’ fees, class representative awards, and administration costs. Class members can choose to submit a claim for reimbursement of documented losses up to a maximum of $5,000 per class member or alternatively receive a cash payment, which is expected to be around $85. All claimants will also receive one year of dark web monitoring. Members of the Brightline subclass are not eligible to receive the cash payment and may only submit a claim for reimbursement of losses if they did not already submit a claim under the separate Brightline settlement.
Any remaining funds in the settlement will be paid to the Electronic Privacy Information Center or an alternative non-profit organization approved by the court. Prior to the settlement being granted final approval, all defendants will provide the court with attestations on the security measures implemented following the data incident, the costs of which will be borne in full by the defendants and will not be deducted from the settlement fund.
