A data breach occurred within Brightline in January 2023 when the Clop ransomware group exploited a remote code execution vulnerability in Fortra’s GoAnywhere Managed File Transfer (MFT) solution.
Between January 18 and January 30, 2023, Clop actors created unauthorized user accounts after exploiting this vulnerability, allowing them to download sensitive files from the MFTaaS environments of multiple organizations. Brightline, a virtual mental health provider, was one of 130 companies affected by this attack.
As a result, the protected health information (PHI) of approximately 964,300 individuals was compromised, including names, addresses, dates of birth, member identification numbers, health plan coverage start and end dates, employer names, and Social Security numbers. Notifications were issued to affected individuals in May 2023. Following the breach, four lawsuits were filed against Brightline, which were later consolidated into a single case, Terrance Rosa, et al. v. Brightline Inc., in the U.S. District Court for the Southern District of Florida.
The plaintiffs alleged negligence, breach of contract, breach of fiduciary duty, unjust enrichment, and violations of various state consumer protection laws. To resolve the litigation without admitting liability, Brightline agreed to a $7 million settlement, which was approved by a federal judge on February 13, 2025.
According to the Brightline class action settlement website, “All Settlement Class members may select either Cash Payment A or Cash Payment B. Any Settlement Class member who submits a Valid Claim may elect to receive Cash Payment A in the form of cash compensation up to $5,000.00 by providing reasonable documented losses related to the Data Incident (“Cash Payment A”); or Cash Payment B in the form of a flat cash payment in the amount of $100.00 (“Cash Payment B”).”
Compared to similar recent judgments, the settlement is notable for both its monetary value and its focus on a telemental health provider. In recent months healthcare organizations have been held accountable by both the HHS and class action lawsuits like the one in this case. The Brightline settlements reinforce the legal precedent that healthcare providers are expected of their size or technological infrastructure.
Related: HIPAA Compliant Email: The Definitive Guide
A medical class action lawsuit is a civil litigation filed on behalf of a group of individuals or business entities who have suffered common injuries caused by the same liable party. It involves a large number of individuals suffering similar injuries due to the same defendant's conduct. Individual lawsuits may not be practical due to the large number of individuals affected.
Common types of medical class action lawsuits include: unlawful promotion of prescription drugs by pharmaceutical companies, unlisted drug side effects that cause harm, death or permanent injury caused by medical devices, medical tort, and defective products in healthcare.
Blue Cross Blue Shield, a major health insurance company, has been involved in multiple class action lawsuits.