Brightline, a virtual mental health provider, has agreed to settle a federal class action lawsuit for $7 million following a 2023 data breach that affected about 1 million people. The breach occurred when the Clop ransomware gang exploited a zero-day vulnerability in the Fortra GoAnywhere managed file transfer application. This breach exposed sensitive personal information, including names, addresses, birth dates, phone numbers, and Social Security numbers, leading to claims of negligence on Brightline’s part for failing to protect this data.
Under the settlement, class members may receive up to $5,000 for verified losses related to the breach, such as identity theft and fraud, or choose a flat $100 cash payment. California residents may also claim an additional $100 as part of the California Statutory Award.
Additionally, all class members are eligible for three years of complimentary credit monitoring, with the option of an extra year if they had already accepted Brightline’s previous offer of coverage.
Brightline denies all allegations of wrongdoing and liability but agreed to the settlement to resolve the lawsuit. The company was accused of failing to safeguard the sensitive data of its customers, particularly violating California’s consumer privacy and unfair competition laws. Attorneys representing the plaintiffs and class members are set to receive up to 33% of the settlement fund, approximately $2.3 million in fees and expenses.
The breach, tied to the GoAnywhere vulnerability, is part of broader litigation affecting other organizations targeted by Clop. The Russian-speaking digital extortion group had previously exploited vulnerabilities in managed file transfer platforms from vendors like Accellion, Serv-U, and Progress Software’s MOVEit. While Brightline has settled, other related lawsuits are still ongoing in U.S. courts.
