Judge Approves $7 Million Brightline Data Breach Settlement
A $7 million settlement has been agreed to resolve a lawsuit filed against the virtual mental health provider Brightline over a hacking incident by the Clop threat group in 2023 that resulted in the theft of the protected health information of up to 1 million individuals.
Brightline was one of 130 companies to have data stolen by the Clop threat group in January 2023, after the mass exploitation of a critical remote code execution vulnerability in Fortra’s GoAnywhere MFT file transfer solution. The vulnerability was exploited between January 18, 2023, and January 30, 2023. The Clop actors created unauthorized user accounts after exploiting the vulnerability and leveraged those accounts to download files from victims’ hosted MFTaaS environments.
Brightline said the information of 964,300 individuals was potentially stolen in the attack including names, addresses, dates of birth, member identification numbers, health plan coverage start and end dates, employer names, and Social Security numbers. Notifications were issued in May 2023. Four lawsuits were filed against Brightline in response to the breach and were consolidated into a single action – Terrance Rosa, et al v. Brightline Inc. – in the U.S. District Court for the Southern District of Florida. The lawsuits asserted claims of negligence, negligence per se, breach of fiduciary duty, breach of implied contract, breach of contract third party beneficiary, unjust enrichment, and violations of various states’ consumer protection statutes.
Brightline chose to settle the lawsuit with no admission of wrongdoing or liability to avoid the litigation costs and expenses, distractions, burden, expense, and disruption to its business operations associated with further litigation. Under the terms of the settlement, a $7 million fund has been created to cover attorneys’ fees, legal costs and expenses, and claims from class members. Attorneys’ fees will be no more than 33.33% of the settlement fund. Claims may be submitted by class members for reimbursement of reasonable documented losses related to the data incident, or may alternatively claim a cash payment of $100. Members of the California class are entitled to claim an additional statutory award of $100.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Brightline previously offered the affected individual two years of complimentary credit monitoring and identity theft protection services. Class members who did not take advantage of that offer may elect to receive 3 years of complimentary credit monitoring and identity theft protection services, and individuals who claimed two years may elect to receive an additional year of those services. The settlement received final approval from a federal judge this week. Claims must be submitted no later than February 26, 2025.
