Virtual mental health service provider Brightline is to pay $7 million to settle a lawsuit associated with a hacking incident involving the Clop threat group in 2023 that led to the stealing of the protected health information (PHI) of about 1 million people.
The Clop threat group stole data from 130 companies in January 2023 and Brightline was one of 130 them. This happened after exploiting a critical remote code execution vulnerability identified in the GoAnywhere MFT file transfer service of Fortra. The mass exploitation happened from January 18, 2023, to January 30, 2023. After exploiting the vulnerability, the Clop threat actors made unauthorized user accounts to acquire files from MFTaaS environments hosted by the victims.
Brightline stated the data of 964,300 people was likely stolen during the attack. The breached data included names, birth dates, addresses, member ID numbers, names of employers, health insurance plan coverage start and end dates, and Social Security numbers. Brightline issued notifications in May 2023. Then, it faced four lawsuits filed in response to the data breach, but they were combined into one action – Terrance Rosa, et al v. Brightline Inc., which was filed in the U.S. District Court for the Southern District of Florida. The lawsuits asserted breach of fiduciary duty, claims of negligence, negligence per se, unjust enrichment, breach of implied contract, breach of contract third party beneficiary, and violations of different consumer protection state laws, not to mention HIPAA laws.
Brightline decided to resolve the lawsuit without admitting wrongdoing or liability to steer clear of the litigation costs and expenses, disruptions, pressure, expense, and interruption to its business activities because of further litigation. As per the conditions of the settlement, Brightline set aside a $7 million fund to take care of attorneys’ charges, legal costs and expenditures, and claims from class members. Attorneys’ fees should not be over 33.33% of the settlement money. Class members may request for refund of reasonable recorded losses associated with the data incident, or may otherwise claim a cash payment of $100. California class members are eligible to claim an extra $100 statutory award.
Brightline earlier provided the impacted persons with free identity theft protection and credit monitoring services for two years. Class members who didn’t make use of that offer may choose to have free identity theft protection and credit monitoring services for 3 years, and those who claimed two years could opt to get an extra year. A federal judge already gave final approval of the settlement. Claims should be filed on or before February 26, 2025.