Brightline Hack Exposes Data of Over 780,000 Child Mental Health Patients
Pediatric mental health provider Brightline has warned patients that it suffered a data breach on January 30, impacting 783,606 people.
Writing in a notice on its website earlier this week, Brightline said the breach was related to a zero-day vulnerability in its Fortra GoAnywhere MFT secure file-sharing platform.
“Through its investigation, Fortra states that it identified a previously-unknown vulnerability which an unauthorized party used to gain access to certain Fortra customers’ accounts and download files, including ours,” reads the notice.
Brightline said its investigation determined the incident was limited to the Fortra service and did not impact its network. However, the data stolen from the breach included patients’ confidential information.
“[This] potentially [includes] some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names,” the company wrote.
According to Bleeping Computer, these attacks were conducted by the Clop ransomware gang using the command injection vulnerability CVE-2023-0669.
Read more on the vulnerability and Clop here: Clop Ransomware Group Exploits GoAnywhere MFT Flaw
“The fact that the Clop ransomware gang was able to maintain compromise in Brightline’s environments for months, even after publicly listing Brightline in their portal, is very telling of the current state of information security in the healthcare industry,” commented David Benas, an associate principal consultant at the Synopsys Software Integrity Group.
“While proactive protection against vulnerabilities is critically important, this incident shows that proving you have strong incident response capabilities before you get breached is just as important—if not even more important— in a situation like this.”
Echoing Benas’s point, James Graham, VP of RiskLens, said healthcare industry members are often targeted by threat actors, which means healthcare organizations need to be exceptionally sure of their cybersecurity investments.
“Part of this is performing quantitative risk assessments using the FAIR standard to provide an overview of risk in terms of probability and cost, allowing for security investments to be made more efficiently.”