2023 was a bad year for commercial file transfer software apps because the Clop ransomware gang kept managing to find zero-day vulnerabilities to exploit. One of their campaigns involved Fortra’s GoAnywhere software. Even though Fortra issued a patch for CVE-2023-0669 within a week of discovery, there were many victims, including Brightline. Now TechTarget reports that the class action lawsuit against Brightline is settling:
Brightline, a virtual mental health provider that specializes in therapy, psychiatry and coaching for kids and teens, will pay $7 million to resolve a class action lawsuit filed against it in connection with the 2023 Fortra cyberattack.
In January 2023, Clop ransomware targeted a vulnerability in Fortra’s GoAnywhere managed file transfer (MFT) solution. Clop claimed more than 130 victim organizations through its exploitation of a zero-day vulnerability. Brightline was one of the many organizations that used Fortra as a vendor and were impacted by the hack.
In May 2023, Brightline notified approximately 964,000 individuals that their information had potentially been compromised during the hack.
Several lawsuits arose as a result of this incident and were later consolidated into four tracks, including a track focused on Brightline. In April 2024, plaintiffs filed a consolidated complaint against Brightline, alleging negligence, breach of fiduciary duty, breach of implied contract and violations of state-level consumer protection statutes.
The consolidated complaint alleged that Brightline breached its duties by “developing unsafe and unprotected remote access tools and implementing inadequate data security measures and protocols that failed to properly safeguard and protect Plaintiffs’ and Class Members’ Private Information from a foreseeable cyberattack on its systems.”
Read more at TechTarget. As is usually the case, Brightline makes no admission of any guilt.
