Notice of Fortra Data Security Incident

Brightline, a startup pediatric behavioral health provider, on behalf of certain entities identified below (“Covered Entities”), is informing impacted individuals about a security incident at its vendor, Fortra, that affected a limited amount of protected health information. Fortra is a third-party provider of file transfer services known as GoAnywhere MFT Software-as-a-Service.  We received information from the Covered Entities concerning eligibility of certain individuals for our services and this information was stored in our account with Fortra.  

What Happened: While Fortra’s investigation is ongoing, we understand that on January 30, 2023, Fortra was made aware of suspicious activity within certain instances of its GoAnywhere MFT service. Through its investigation, Fortra states that it identified a previously-unknown vulnerability which an unauthorized party used to gain access to certain Fortra customers’ accounts and download files, including ours.

Fortra informed us about the security vulnerability in their GoAnywhere MFT service on February 4, 2023. We took swift action the same day in response to the notice. Our investigation determined the incident was limited solely to the Fortra service and did not impact our own network.  Fortra also promptly notified law enforcement and is cooperating with their investigation of the Fortra incident.

Subsequently, we determined that the unauthorized party acquired certain files that were saved in the Fortra service. After making this determination, we immediately began to analyze the files to determine which individuals and data had been affected. As part of that analysis, it was determined that those files contained a limited amount of protected health information.  We then began notifying the Covered Entities of the incident.

What Information Was Involved: Based on the investigation, we identified a limited amount of protected health information/personal information in the files that the unauthorized party acquired, potentially including some combination of the following data elements: individuals’ names, addresses, dates of birth, member identification numbers, date of health plan coverage, and/or employer names. Please see here for a list of impacted entities. Note: Aetna member IDs were not compromised as a result of this incident.

What We Are Doing: As soon as we became aware of the incident, we took immediate action to investigate it by confirming Fortra deactivated the unauthorized user’s credentials, turned off the service and rebuilt our version so it was no longer vulnerable.  Further, we implemented additional security measures, including limiting ongoing access to verified users, removing all of our data from the service, and continuing ongoing measures to reduce data exposure until an alternative file transfer solution is identified and implemented. While our investigation has determined that the incident did not impact our systems directly, we continue to enhance our cybersecurity program to further safeguard from cyber threats. 

We are providing notice of Fortra’s incident to affected individuals commencing on April 7, 2023. Impacted individuals are being offered 2 years of complimentary identity theft and credit monitoring services by Cyberscout.  We have also established a hotline to address questions related to this incident, which impacted individuals can reach at 1-833-570-2987. We have also advised impacted individuals of the steps outlined below that they can take to further protect themselves.

What You Can Do:

Order Your Free Credit Report. To order your free annual credit report, visit www.annualcreditreport.com, call toll-free at (877) 322-8228, or complete the Annual Credit Report Request Form on the U.S. Federal Trade Commission’s (FTC) website at www.ftc.gov and mail it to Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. 

The three credit bureaus (Equifax, Experian, and TransUnion) provide free annual credit reports only through the website, toll-free number, or request form. You may also purchase a copy of your credit report by contacting any of the credit reporting agencies below:

Equifax www.equifax.com        (800) 685-1111

Experian www.experian.com  (888) 397-3742

TransUnion www.transunion.com   (800) 916-8800

For Colorado, Georgia, Maine, Maryland, Massachusetts, New Jersey, Puerto Rico, and Vermont residents: You may obtain one or more (depending on the state) additional copies of your credit report, free of charge. You must contact each of the credit reporting agencies directly to obtain such additional report(s).

Upon receiving your credit report, review it carefully. Errors may be a warning sign of possible identity theft. Here are a few tips of what to look for:

  • Look for accounts you did not open.

  • Look in the “inquiries” section for names of creditors from whom you have not requested credit. Some companies bill under names other than their store or commercial names; the credit bureau will be able to tell if this is the case.

  • Look in the “personal information” section for any inaccuracies in information (such as home address and Social Security Number).

If you see anything you do not understand, call the credit bureau at the telephone number on the report. You should notify the credit bureaus of any inaccuracies in your report, whether due to error or fraud, as soon as possible so the information can be investigated and, if found to be in error, corrected. If there are accounts or charges you did not authorize, immediately notify the appropriate credit bureau by telephone and in writing. Information that cannot be explained should also be reported to your local police or sheriff’s office because it may signal criminal activity.

We encourage you to take advantage of these protections and remain vigilant for incidents of fraud and identity theft, including regularly reviewing and monitoring your credit reports and account statements.

Federal Trade Commission and State Attorneys General Offices. If you believe you are the victim of identity theft or have reason to believe your personal information has been misused, you should immediately contact the Federal Trade Commission and/or the Attorney General’s office in your home state, and local law enforcement. You may also contact these agencies for information on how to prevent or minimize the risks of identity theft.

You may contact the Federal Trade Commission, Consumer Response Center, 600 Pennsylvania Avenue, NW, Washington, DC 20580, www.ftc.gov/bcp/edu/microsites/idtheft/, 1-877-IDTHEFT (438-4338).

For Maryland residents: You may contact the Maryland Office of the Attorney General, Consumer Protection Division, 200 St. Paul Place, Baltimore, MD 21202, www.oag.state.md.us, 1-888-743-0023.

For North Carolina residents: You may contact the North Carolina Office of the Attorney General, Consumer Protection Division, 9001 Mail Service Center, Raleigh, NC 27699-9001, www.ncdoj.gov, 1-877-566-7226 for more information about preventing identity theft.

For New York residents: The Attorney General may be contacted at: Office of the Attorney General, The Capitol, Albany, NY 12224-0341; 1-800-771-7755; https://ag.ny.gov/.

For Connecticut residents: You may contact the Connecticut Office of the Attorney General, 165 Capitol Avenue, Hartford, CT 06106, 1-860-808-5318, www.ct.gov/ag.

For Massachusetts residents: You may contact the Office of the Massachusetts Attorney General, 1 Ashburton Place, Boston, MA 02108, 1-617-727-8400, www.mass.gov/ago/contact-us.html.

For Rhode Island residents: You may contact the Office of the Attorney General, 150 South Main Street, Providence, RI 02903, (401) 274-4400, https://riag.ri.gov/. 

Reporting of identity theft and obtaining a police report.

For Iowa residents: You are advised to report any suspected identity theft to law enforcement or to the Iowa Attorney General.

For Massachusetts residents: You have the right to obtain a police report.

For Oregon residents: You are advised to report any suspected identity theft to law enforcement, the Federal Trade Commission, and the Oregon Attorney General.

For Rhode Island residents: You have the right to obtain a police report.

Placing a Security Freeze. You have a right to place a “security freeze” on your credit report, at no charge, which will prohibit a consumer reporting agency from releasing information in your credit report without your express authorization. The security freeze is designed to prevent credit, loans, and services from being approved in your name without your consent. However, you should be aware that using a security freeze to take control over who gets access to the personal and financial information in your credit report may delay, interfere with, or prohibit the timely approval of any subsequent request or application you make regarding a new loan, credit, mortgage, or any other account involving the extension of credit.

You can place, temporarily lift, or permanently remove a security freeze on your credit report online, by phone, or by mail. You will need to provide certain personal information, such as address, date of birth, and Social Security number to request a security freeze and may be provided with a unique personal identification number (PIN) or password, or both, that can be used by you to authorize the removal or lifting of the security freeze. Information on how to place a security freeze with the credit reporting agencies is also contained in the links below:

https://www.equifax.com/personal/credit-report-services/ 

https://www.experian.com/freeze/center.html  

https://www.transunion.com/credit-freeze 

As of February 20, 2023, the reporting agencies allow you to place a credit freeze through the online, physical mail and phone numbers and request that you provide the information listed below. Where possible, please consult the websites listed above for the most up-to-date instructions. 

Fees associated with placing, temporarily lifting, or permanently removing a security freeze no longer apply at nationwide consumer reporting agencies.

Placing a Fraud Alert. To protect yourself from possible identity theft, you have the right to place an initial or extended fraud alert on your credit file at no cost. An initial fraud alert is a one-year alert that is placed on a consumer’s credit file. Upon seeing a fraud alert display on a consumer’s credit file, a business is required to take steps to verify the consumer’s identity before extending new credit. If you are a victim of identity theft, you are entitled to an extended fraud alert, which is a fraud alert lasting seven years. You may obtain additional information from the FTC and the credit reporting agencies listed above about placing a fraud alert and/or security freeze on your credit report.