25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Brightline: At Least 964,300 Individuals Affected by Fortra GoAnywhere Hack

Posted By on May 8, 2023

Brightline, a provider of virtual behavioral and mental services to families, has confirmed it was affected by the cyberattack on Fortra’s GoAnywhere MFT file transfer solution, which saw a zero-day vulnerability exploited in attacks on 130 organizations over a 10-day period starting on January 18, 2023. While the Clop threat group conducts ransomware attacks, ransomware was not used in these attacks. Like the attacks that exploited a vulnerability in the Accellion File Transfer Appliance (FTA) in 2021, the group opted for data theft and extortion with no file encryption.

Brightline explained in its website breach notification that the attack occurred on January 30, 2023, and said Fortra’s investigation confirmed that files had been downloaded that contained protected health information. Brightline was notified about the attack by Fortra on February 4, 2023. Brightline’s internal investigation confirmed that the attack was limited to data within the GoAnywhere solution and that its systems had not been compromised. After determining the extent of the breach and the individuals affected, Brightline started notifying the affected HIPAA-Covered Entities. The breach involved names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. Affected individuals have been offered 24 months of complimentary credit monitoring services.

In response to the breach, Brightline deactivated the unauthorized user’s credentials used to access its data, turned off the GoAnywhere service, and rebuilt it with the zero-day vulnerability addressed. Additional data security measures were also implemented, including limiting access to verified users, removing all data in the service, and taking steps to reduce data exposure until an alternative file transfer solution can be implemented.  Affected individuals were notified starting on April 7, 2023, and notifications were issued on behalf of some affected Covered Entities. Brightline was listed on the Clop data leak site on March 16, 2023, although has since been removed. While this typically only occurs when a ransom is paid, a member of the Clop group emailed Bleeping Computer to say that Brightline’s data were deleted as the group was unaware of the nature of the business conducted by Brightline and said, “We ask for forgiveness for this incident,” which suggests no ransom was paid.

Brightline has published a list of 58 HIPAA-Covered Entities that were affected by the data breach and has – at the time of writing – submitted 9 data breach notifications to the HHS’ Office for Civil Rights. Those notifications indicate 964,300 individuals have been affected. Those notifications indicate between 4,044 and 462,241 individuals were affected. It is unclear to what extent the notifications cover the 58 affected Covered Entities. If a separate breach notification has been issued for each affected Covered Entity, 49 of the affected Covered Entities may be issuing their own notifications, which would likely take the total number of affected individuals well past 1,000,000. Some of the notifications issued to state attorneys general by the affected clients state that Brightline issued multiple requests to Fortra asking for it to issue notifications to affected individuals and regulators, but Fortra refused.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The 58 Covered Entities known to have been affected are detailed below:

  • Insitu, Inc.
  • IUOE
  • Keller Supply
  • Kodiak Island Borough School District
  • KPMG LLP
  • Legal Name: Continental Mills, Inc. Common Name: The Krusteaz Co
  • MacDonald-Miller Facility Solutions, LLC
  • Manke Lumber Company Inc.
  • MIIA
  • Municipality of Anchorage
  • Nintendo of America Inc.
  • Northwest Cascade, Inc.
  • Oberto Snacks Inc.
  • PND Engineers, Inc.
  • Pyrotek Inc
  • Rail Management Services
  • Seagen Inc.
  • Seward Association for the Advancement of Marine Science dba Alaska SeaLife Center
  • SolstenXP, Inc.
  • SOUTH SHORE HEALTH
  • Space Needle LLC & Center Art LLC
  • Spokane Teachers Credit Union
  • Stanford Health Care – ValleyCare Employee Health Care Plan
  • Stanford Health Care Employee Health and Welfare Benefit Plan
  • Stanford Medicine Partners Employee Health and Welfare Benefit Plan
  • Stanford University Post-doctoral Scholars
  • Symetra Life Insurance Company
  • Tanana Chiefs Conference
  • The Board of Directors of the Leland Stanford Junior University (Educated Choices)
  • Undead Labs
  • University of Alaska
  • VERTEX
  • Walla Walla University
  • Washington Trust Bank
  • Whitman College

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist