Updated May 3: When DataBreaches checked Clop’s leak site today, the listing for Brightline was gone. Whether this means that they paid Clop to get it removed, or if its removal is just temporary remains to be seen. But out of all the health-related Fortra clients this site reported on in April, the Brightline listing is the only one that has disappeared from Clop’s site. They are also the one that has been most transparent in providing public information, details about the breach, and notifications on behalf of their clients. Given that many other Fortra clients still have not made any public disclosure or notification, Brightline’s incident response in terms of transparency has been especially commendable so far.
By the end of today, the subtotal for number of Brightline patients affected by the GoAnywhere incident stood at 1,081,716.
On April 21, DataBreaches reported about healthcare entities affected by the Fortra/GoAnywhere attack by Clop threat actors. DataBreaches also reported about healthcare entities for whom we could find no notifications even though they appeared to have been affected by the attack.
One of the entities noted in the first part of the report was Brightline, a pediatric behavioral health provider. As of April 21, DataBreaches had found that Brightline had made notifications on behalf of Coach USA employees serviced by the Aetna health plan (27,742), Blue Shield of California (63,341), and Samsung Semiconductor (no number provided). They had also reported making notifications on behalf of more than four dozen clients listed on their website, although no numbers were provided for individual clients.
Since then, more notifications have appeared, but generally with incomplete and possibly duplicative information. In April, Brightline made eight notifications (that we know about so far) to HHS. The publicly available breach tool does not reveal the names of the clients on whose behalf Brightline made those notifications. Brightline reported a total of 783,606 patients affected by the eight incidents, with the smallest number being 4,044 and the largest being 462,241. That total is in addition to the numbers for Blue Shield of California, and Coach reported previously. And it may also be in addition to the 26,333 Washingtonians reported to the Washington State Attorney General’s Office by Brightline’s external counsel on behalf of:
- Adobe Inc. (958)
- CohnReznick LLP (3)
- Costco Wholesale (9875)
- Port of Seattle (810)
- Regeneron Pharmaceuticals, Inc. (39)
- Salesforce.com, Inc. (2825)
- *Comcast Corporation Comprehensive Health and Welfare Benefit Plan (5271)
- US Foods (1381)
- Carrix (626)
- Nintendo of America (1195)
- Seagen, Inc. (1992)
- Symetra Life Insurance Company (820)
- Washington Trust Bank (560)
- Banner Corporation (726)
- ASML (52)
If those are non-overlapping with data reported to HHS, then at least 901,022 Brightline patients are reportedly affected. Seven of the clients listed in the Washington State notification are included in the list of 58 clients for whom Brightline indicated they were providing notifications, but the numbers in parentheses above represent only the number of Washington residents and not necessarily the total for each client. Until we know whether reports to HHS cover all 58 clients named on their website and until we know which clients have self-identified and disclosed their numbers, we have no idea of the total for this incident for Brightline.
But why is Brightline making all these notifications instead of Fortra making them? Reportedly, Fortra refused to make them. A letter from Brightline’s external counsel to Washington’s attorney general reads, in part:
Brightline is providing this notification on behalf of certain other entities identified in the enclosed addendum that provided Brightline with the data impacted in this incident. To date, Fortra has refused to provide notice to individuals or regulators on Brightline’s behalf, despite repeated requests.
This may be a helpful reminder that business associate agreements should contain provisions as to who is responsible for making notifications in case of a reportable HIPAA breach. While the covered entity is ultimately responsible under HIPAA and HITECH, a BAA could include a contractual requirement that the business associate makes the notifications if they have the necessary contact information or if the covered entity will provide them with that contact information.
DataBreaches has written to Brightline’s external counsel to ask whether Brightline has terminated its contract with Fortra or continues using it. No reply was immediately available.
But apart from all the headache and expense for Brightline (and other Fortra clients) associated with notifications, there is still the issue reported in April that Clop has listed Brightline on its leak site and is threatening to leak all the data it got from Brightline if they don’t pay their demands.
DataBreaches will continue to monitor the impact of, and incident response to, the healthcare sector to the Fortra/GoAnywhere incident