Brightline reaches $7 million settlement over 2023 data breach

Virtual behavioral healthcare provider Brightline has agreed to a $7 million settlement to address a class-action lawsuit arising from a substantial data breach in January 2023. The breach, attributed to vulnerabilities in Fortra’s file-transfer software, exposed the personal data of approximately one million individuals, prompting the settlement, which received preliminary court approval on September 24, 2024. Eligible individuals can expect cash payments, credit monitoring services, and additional support.

The data breach compromised sensitive data belonging to U.S. residents who have since been informed of their eligibility for compensation. Affected individuals may receive a one-time payment of $100 or up to $5,000 if they can substantiate financial losses linked to the breach. Additionally, California residents qualify for a statutory payment of $100 under state law.

The settlement includes cash payments and provides three years of free credit monitoring for all class members to protect against risks such as identity theft and fraud. Individuals already enrolled in Brightline’s two-year monitoring program will receive an additional year of protection.

To participate in the settlement, affected individuals must submit claims by February 26, 2025. Claims may be filed online via the Brightline Data Security Settlement website using a Unique ID and PIN on their notification postcard. For those without notice, assistance is available from the settlement administrator. Additionally, claimants can download and mail a PDF form if preferred.

Total payouts may be adjusted on a pro-rata basis depending on the number of claims and requested benefits—including cash payments, statutory payments for California residents, and credit monitoring. A final approval hearing for the settlement is set for February 10, 2025. After the court’s approval and barring appeals, distributions to eligible class members will begin.

The original lawsuit was filed after a cyberattack exploited a vulnerability in the Fortra GoAnywhere MFT application, leading to unauthorized exposure of sensitive personal, medical, and financial data. In February 2024, a multidistrict litigation (MDL) was established to handle the influx of claims related to the incident, with this settlement designed to provide compensation and closure. For more information or to file a claim, visit the official Brightline Data Security Settlement website.