Brightline settles lawsuit for $7 million over 2023 data breach involving Clop hacking group

In a significant legal development, virtual mental health provider Brightline has agreed to a $7 million settlement to resolve a lawsuit stemming from a 2023 hacking incident. The breach, attributed to the Clop threat group, resulted in the theft of protected health information (PHI), affecting up to 1 million individuals.

The incident occurred between January 18 and January 30, 2023, when Clop exploited a critical vulnerability in Fortra’s GoAnywhere MFT file transfer solution. This vulnerability allowed the group to infiltrate the systems of 130 companies, including Brightline, by creating unauthorized user accounts and downloading sensitive data from the affected firms’ Managed File Transfer as a Service (MFTaaS) environments.

Brightline confirmed that the breach potentially compromised the personal information of 964,300 individuals, including names, addresses, dates of birth, Social Security numbers, health plan details, and employer information. In May 2023, the company notified affected individuals, outlining the nature and scope of the breach. This prompted four lawsuits later consolidated into a single class-action case, Terrance Rosa et al. v. Brightline Inc., in the U.S. District Court for the Southern District of Florida.

The lawsuits alleged negligence, breach of fiduciary duty, and violations of state consumer protection laws, among other things. The plaintiffs sought compensation for the harm caused by the violations, asserting that Brightline had failed to adequately protect the sensitive information entrusted to it.

To avoid the extensive costs, distractions, and operational disruptions associated with prolonged litigation, Brightline opted to settle the case. The company has not admitted to any wrongdoing or liability, but a $7 million fund will be established under the settlement agreement. This fund will cover attorneys’ fees, legal expenses, and claims from affected class members.

Attorneys’ fees are capped at 33.33% of the total settlement amount. Class members are eligible to claim either reimbursement for documented losses or a direct cash payment of $100. California residents affected by the breach are entitled to an additional $100 statutory award.

Brightline had previously offered those impacted by the breach two years of free credit monitoring and identity theft protection services. However, as part of the settlement, individuals who did not take advantage of this offer will now have the option to receive three years of complimentary services. Those who accepted the original two-year offer can extend their protection by one additional year. A federal judge granted final approval of the settlement earlier this week. Affected individuals who wish to file a claim must do so by February 26, 2025.