The U.S. Department of Health and Human Services reported on April 7, 2023, that Brightline, Inc. experienced a hacking incident affecting the protected health information (PHI) of 4,044 individuals. The breach involved a third-party provider and impacted information such as names, dates of birth, and addresses. In response, Brightline provided complimentary credit monitoring services and implemented additional security measures.

On January 30, 2023, Brightline, Inc. experienced a data breach due to unauthorized access to its GoAnywhere MFT Software-as-a-Service (SaaS) platform by an external threat actor. The incident was publicly disclosed by the California Office of the Attorney General on May 10, 2023. The breach exposed sensitive personal information of individuals, including names and Social Security numbers (SSNs). While the exact number of affected individuals remains undisclosed, the compromise of such high-value data—particularly SSNs—poses significant risks, including identity theft, financial fraud, and long-term reputational harm to the company. The breach stemmed from a vulnerability in the third-party file-transfer service, highlighting supply-chain security risks. Brightline, a mental health services provider for children and families, faces potential regulatory scrutiny under state data protection laws (e.g., CCPA) and may incur costs related to notifications, credit monitoring, and legal liabilities. The incident underscores the critical need for robust access controls and vendor risk management in healthcare-adjacent sectors.