Children’s data feared stolen in Fortra ransomware attack

The fallout from Fortra’s mass ransomware attack continues to widen as the hackers claim a new victim: a children’s virtual mental health care startup.

In a data breach disclosure filed with the Maine attorney general’s office, U.S. healthcare giant Blue Shield of California confirmed that one of its providers, Brightline, had data stolen from data stored in its GoAnywhere file transfer tool.

Brightline, which provides virtual coaching and therapy to children, was identified by TechCrunch last week as a likely victim of the mass breach.

The breach notification confirmed that hackers — presumably the Russia-linked Clop ransomware gang that claimed to have breached over a hundred organizations by using an undisclosed security flaw — accessed and potentially exfiltrated the personal data of more than 63,000 patients.

Clop’s dark web leak site, which the gang uses to publish the stolen files unless a ransom is paid, says that the gang will leak the data stolen from Brightline “soon.”

Brightline has yet to publicly acknowledge the breach, either on its website or social media channels. Brightline spokesperson John O’Connor declined to answer TechCrunch’s questions, but did not dispute that the breach affects 63,000 individuals. It’s unclear how many of Brightline’s child users are affected.

In its breach notification, Blue Shield said that the breach affected includes patient names, addresses, dates of birth, gender, Blue Shield subscriber ID numbers, phone numbers, e-mail addresses, plan names and plan group numbers.

Brightline is said to be one of 130 organizations hit by the Clop group, but not the only healthcare company. US Wellness, which offers corporate health and wellness programs, also confirmed that hackers had accessed the personal data of its users, including names, addresses, dates of birth and member ID numbers.

The impact of the Fortra vulnerability on healthcare organizations is so widespread that it prompted the U.S. government’s health sector cybersecurity coordination center — or HC3 —  to issue a warning in February to help safeguard against Clop’s attacks.

Outside of healthcare organizations, the group’s ever-growing list of known victims includes the City of Toronto, Canadian financing giant Investissement Québec and Virgin Red.

Jodie Burton, a spokesperson for Virgin Red, told TechCrunch that it learned that attackers had “illegally obtained some Virgin Red files via a cyber-attack on our supplier, GoAnywhere” after being contacted by Clop. TechCrunch has heard from other victims that they, too, only learned that data had been stolen after receiving a ransom demand — despite Fortra having assured them that their data was safe.

Fortra spokespeople Mike Devine and Rachel Woodford have repeatedly declined to answer TechCrunch’s questions. Anne Hart, who represents Brightline on behalf of crisis communications firm Prosek, declined to comment when reached by TechCrunch.

Updated on April 1 with remarks via Prosek.