The Target: Brightline, a pediatric mental and behavioural health provider.
The Take: Exposure of Personally Identifiable Information including: full names, physical addresses, dates of birth, member identification numbers, date of health plan coverage and employer names.
The Vector: A zero-day exploit was used to breach a third-party vendor, Fortra, of Brightline’s, targeting their file transfer software which let the attackers gain access to sets of files throughout the third-party vendor’s systems.
This breach is critical reminder that zero-day exploits do happen, and furthermore that patching software in a timely, effective manner is a key component of ensuring customer data is protected. Ensuring third-party vendors are deploying patches and fixes in accordance with a firm’s cybersecurity policy is an important step in an overall robust security posture.