The Facts: What Happened, Who Did It, and How Many People Got Hurt

A single piece of software, left configured the way it came out of the box, opened the door to one of the largest healthcare data thefts in recent memory. Here is the documented chain of events.

• January 28–30, 2023: The Clop ransomware group, linked to Russia, exploited a previously unknown (zero-day) vulnerability in Fortra’s GoAnywhere MFT managed file-transfer software. They accessed and exfiltrated files belonging to multiple defendants simultaneously across Fortra’s platform.
• February 2, 2023: Fortra notified all affected defendants of the breach. This is the date on which the legal clock started ticking for each company’s obligation to inform the people whose data was stolen.
• Community Health Systems operates 78 acute-care hospitals and more than 1,000 other sites of care across 15 states. In 2022, it reported $12.2 billion in revenue. It had access to — and transmitted via GoAnywhere MFT — the full medical, insurance, and personal records of patients and employees across that entire network.
• Brightline is a pediatric mental and behavioral health startup. Its data breach exposed the PHI of children. The breach ultimately impacted an estimated 783,606 Brightline patients at minimum, with the company serving 64 connected partner organizations including Harvard University, Stanford University, Boston Children’s Hospital, Nintendo of America, and Diageo.
• Imagine360 administers self-funded health insurance plans for employers. Its breach impacted the records of over 130,000 individuals who had healthcare claims processed through the company.
• Intellihartx (ITx) is a healthcare revenue cycle and billing company. It accessed patients’ most personal records as a routine part of its billing operations and transmitted that data through Fortra’s software.
• The data stolen included: full names, home addresses, dates of birth, Social Security numbers, medical diagnoses, prescription details, health insurance information, member identification numbers, health plan start and end dates, employer names, and medical billing records.
• The Michigan Attorney General characterized the breach in a May 16, 2023 press release as targeting “130 companies, many in the healthcare sector,” confirming the scale extended far beyond the defendants in this lawsuit.

The Misconduct: A Breach They Saw Coming and Did Nothing to Stop

This was a preventable catastrophe. The software vulnerability was not a mystery. The healthcare industry’s status as a prime target for ransomware was not a secret. The defendants had legal obligations, industry warnings, prior breach history, and documented instructions explaining exactly how to reduce the risk. They ignored all of it.

• The default settings were the problem. GoAnywhere MFT, by default, exposes its administrative login console to anyone with an internet connection. Fortra’s own installation guide included specific, simple instructions for restricting access: limit the software to certain network ports so only authorized users can reach the admin panel. The complaint alleges the defendants never made these changes.
• 136 documented vulnerabilities were on record. Since 2014, the National Vulnerability Database had logged approximately 136 known vulnerabilities affecting managed file transfer products similar to GoAnywhere MFT. Of those, 51 were classified as high-risk. The defendants knew or should have known about this category of software’s attack surface.
• Fortra had issued its own prior security advisories. Before the 2023 breach, Fortra had already disclosed security vulnerabilities in GoAnywhere MFT that rendered it exploitable. These were public disclosures the defendants could have acted on.
• Community Health Systems had already been through this exact situation. In 2014, CHS suffered a breach that compromised 6.1 million patients. The FBI had specifically warned healthcare companies about cyberattacks targeting PHI in August 2014, immediately after that breach. The Iowa Attorney General’s investigation found CHS “failed to implement and maintain reasonable security practices.” The HHS investigation found “longstanding, systemic noncompliance” with HIPAA Security Rule requirements including failure to conduct a risk analysis and failure to implement access controls. CHS paid $10.4 million in total penalties, signed a consent decree, and then let it happen again nine years later.
• Vendor screening was non-existent or inadequate. The defendants were responsible for selecting Fortra as a vendor, monitoring Fortra’s security posture, and configuring the GoAnywhere MFT servers that stored their patients’ data. The complaint alleges they controlled the MFT servers and were responsible for monitoring them for threat activity — and failed to do so.
• Notification delays kept victims blind for months. ITx, which learned of the breach on February 2, waited 124 days to notify patients. Imagine360 waited nearly five months. During that window, victims could not freeze their credit, alert their banks, or take any protective action because they had no idea their data was stolen. Fraudulent transactions documented by multiple plaintiffs occurred during this period of company-enforced ignorance.

“The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”

The Non-Financial Ledger: What Was Actually Taken From Real People

Robert Terwilliger lives in Missouri. He went to CoxHealth for medical care. He handed over his name, his address, his insurance information, his medical records — not because he wanted to, but because that is the deal. You want healthcare in America, you sign over your most private information and trust that the hospital, the billing company, the software vendor, and every other contractor in between will protect it. Robert Terwilliger trusted that deal. It was broken.

After the breach, someone began filing credit applications in Robert Terwilliger’s name. Then another. Then another. Over the months following January 2023, seventeen separate hard credit inquiries were made against his credit file without his knowledge or consent. He did not know about the breach because ITx waited over four months to tell him. He did not know his information was compromised. He was applying for a mortgage. On January 22, 2024 — nearly a year after the breach — his bank told him he did not qualify for a home loan. His credit score had dropped 209 points. He is now paying approximately $1,442 per year for credit monitoring services through three separate platforms. He bought those subscriptions because he has no other way to know if someone is using his identity. That is the cost of trusting a healthcare billing company that left its software’s administrative panel open to the internet.

Angela Martin is from Alabama. She found out her data was on the dark web from Experian. She did not find out from Community Health Systems, not immediately. In the time between the breach and the notification, someone tried to open a Zelle account in her name. Then she started getting alerts that people were applying for bank accounts using her identity. Then came the unauthorized transactions on her existing bank account. She estimates she has spent approximately 40 hours dealing with the fallout from this breach. Forty hours of her life, spent not on her family, not on her work, not on anything she chose — but on cleaning up a mess made by a corporation that already paid $5 million for making this exact same mess in 2014.

Nicholas Timmons, from Missouri, received a letter from SoutheastHealth — a hospital he had trusted with his health information — telling him that a billing company he had never heard of, Intellihartx, had been hacked. Since then, he gets a steady stream of fraudulent loan and credit pre-approval letters in the mail. Scam calls come in consistently. Someone used his Regions Bank debit card for unauthorized transactions. He has had to get a new debit card at least three times.

Ryan Watson is from Virginia. After the breach, he received a call from someone claiming to be an Amazon representative who needed to verify his banking details for a pending delivery. There was no pending delivery. Ryan Watson had made no such purchase. He knew it was a scam, but the fact that it was happening — that someone had his information and was using it to probe for financial access — is something that does not simply go away. It lives in the back of your mind every time the phone rings.

Thomas Kelly, from Ohio, saw fraudulent charges hit his Fifth Third Bank account in March 2023. His personal information showed up on the dark web. The spam calls started. Kelly had received care at Fulton County Medical Center, which had contracted with Intellihartx for billing services in approximately 2020. He never agreed to have his data routed through a third-party billing company and from there into a file-transfer platform that was misconfigured from installation. That was decided for him, by corporations, in transactions he was never part of.

Kyle Castro, a father in Tennessee, entrusted Brightline with his personal health information and the health information of his minor children. His children’s private records were caught in this breach. He is now paying for IDshield, a credit monitoring service, to track his children’s identities — children who cannot protect themselves, who did not consent to anything, whose mental health treatment records were accessible to anyone who visited a ransomware gang’s website for fifty days.

Itaunya Milner, from New Jersey, is in the same situation. She trusted Brightline with her minor child’s health information. That child’s records were exposed. A child’s mental health data on the dark web is not a statistic. It is a life-long liability. It can resurface in background checks, insurance applications, or any number of places at any point in the future. The child had no say. Neither did Milner, not really, because the alternative was no mental health care for her child at all.

These are the people behind the case number. The lawsuit will be decided on legal standards: duty of care, HIPAA compliance, notice requirements, class certification rules. But what actually happened here is that corporations got rich processing the most intimate details of millions of people’s lives, skimped on the security costs that would have protected that data, and then took months to tell anyone when the inevitable happened. The bill for their negligence is being paid in forty hours of Angela Martin’s life, in Robert Terwilliger’s lost home, in Kyle Castro’s children’s stolen innocence, and in the ongoing, unquantifiable anxiety of a million people who will never fully know what was done with what was taken from them.

“Forty percent of the customers were never able to resolve their identity theft at all.”

Legal Receipts: What They Said, What It Proves

The following are direct quotes from court filings, regulatory settlements, and official statements. No paraphrasing.

“The failure to implement the security protections required by the HIPAA Rules, especially after being notified by the FBI of a potential breach, is inexcusable.”

• This quote proves that federal regulators had already told Community Health Systems, in explicit terms, that their security failures were inexcusable — and specifically called out their failure to act even after an FBI warning. CHS paid the fine and signed the consent decree. Then, nine years later, they failed to secure the same type of vendor-transmitted patient data again.
• This statement is directly relevant to the 2023 breach because it establishes that the foreseeable harm was already documented, acknowledged, and penalized. Repeating the same failure is not negligence — it is a pattern.

“CHS failed to implement and maintain reasonable security practices.”

• This is a formal legal finding, not an allegation. A coalition of 28 state attorneys general concluded, after investigation, that Community Health Systems did not meet the minimum legal standard for protecting patient data.
• The 2023 complaint cites this finding to establish that the 2023 breach was not a surprise or an unforeseeable event. Defendants had been specifically told by government officials what they were doing wrong and had agreed to fix it.

“[The HHS] investigation found longstanding, systemic noncompliance with the HIPAA Security Rule including failure to conduct a risk analysis, and failures to implement information system activity review, security incident procedures, and access controls.”

• The word “systemic” is the key word here. This was not a one-time mistake; it was a documented, pervasive failure across multiple security requirements simultaneously. Conducting a risk analysis is one of the most basic HIPAA Security Rule obligations. Failing to do even that — at a company processing the health records of millions of Americans — is a fundamental dereliction of duty.
• The complaint argues that the same systemic failures reappeared in 2023 in the form of inadequate vendor screening and failure to configure GoAnywhere MFT to minimum security standards.

“We . . . hold CHSPSC and CHS affiliated entities’ vendors and their representatives to specific standards of conduct when committing financial resources for the purchase of goods, services, and equipment.”

• This is CHS’s own published standard. They claim to hold their vendors to “specific standards of conduct.” Yet the complaint alleges that their vendor, Fortra, was running file-transfer software with the administrative panel exposed to the open internet and that CHS appears never to have required or verified that basic security configurations were in place.
• This statement creates a direct contradiction between the company’s public-facing claims and its alleged operational reality.

“The protection of [its patients’] health information is very important to [Brightline], and it will only release this protected information ‘with your permission, or under circumstances,'” none of which listed circumstances are applicable here.

• Brightline made an explicit written promise in its HIPAA Privacy Practices notice that it would only release patient health information with permission or under defined circumstances. The 2023 breach was neither. Brightline released the PHI of 783,000+ patients — including children — to a Russian ransomware gang, by virtue of using an insecure file-transfer platform.
• Plaintiffs relied on this explicit promise when they entrusted Brightline with their children’s mental health records.

“We delete the data and we did not know what this company is doing, because not all companies are analyzing. And we ask for forgiveness for this incident.”

• This statement from the criminal group itself is notable: Clop claimed to have deleted Brightline’s data after discovering it was a children’s mental health provider. The complaint notes that BleepingComputer.com could not confirm the data was fully deleted.
• Critically, the news outlet confirmed it could not determine who downloaded Brightline’s files during the 50 days they were publicly available (March 16 to May 5, 2023). “Deleted from the gang’s site” does not mean “not distributed to buyers.” The data was available to any visitor for fifty days. No one can recover that.

Societal Impact Mapping: The Ripple Effect of a Corporate Security Failure

Public Health

When healthcare data is compromised, it does not just threaten financial accounts. It threatens the integrity of the healthcare system itself, chilling patients’ willingness to seek care and enabling a category of fraud that can kill people.

• Medical identity theft — where someone uses stolen health credentials to fraudulently bill for procedures or obtain medications in a victim’s name — corrupts the victim’s medical record. False diagnoses, wrong blood types, incorrect medication histories, and fraudulent procedures can all appear in a victim’s file, creating the potential for dangerous medical errors in future treatment.
• The complaint notes that Plaintiff Donisha Jackson faces the specific risk of “having medical services billed in her name” as a direct result of the breach. When fraudulent bills accumulate in a patient’s name, insurance providers can drop or restrict coverage, leaving victims without access to the care they legitimately need.
• The complaint cites industry research showing that “almost 50 percent of the victims lost their healthcare coverage as a result of the incident, while nearly 30 percent said their insurance premiums went up.” Medical identity theft does not just harm finances — it directly reduces access to care.
• Forty percent of medical identity theft victims were never able to resolve their cases at all. Their records remain corrupted indefinitely, a permanent public health liability created by a corporate security failure.
• Brightline specifically provides pediatric mental and behavioral health services. The exposure of children’s mental health records — diagnoses, treatment histories, prescription information — creates lasting stigma risks that could affect those children’s access to insurance, employment, and other services well into adulthood.
• The AMA has documented that 83 percent of physician practices have experienced cyberattacks, and warned that these attacks “threaten patient access to care” directly — not just privacy. A healthcare sector that bleeds patient data enables the exact class of attack that happened here.

Economic Inequality

The economic damage from this breach did not fall on Community Health Systems executives or Brightline investors. It fell on patients in Alabama, Mississippi, Tennessee, Ohio, Missouri, New Jersey, Pennsylvania — people who had no realistic alternative to trusting these companies with their data.

• The average total cost to resolve a medical identity theft incident is approximately $20,000, according to industry research cited in the complaint. This includes legal fees, out-of-pocket healthcare costs to restore coverage, and time and resources spent disputing fraudulent records. For working-class families, $20,000 is not a manageable expense — it is a financial catastrophe.
• Robert Terwilliger is now paying approximately $1,442 per year for credit monitoring across three services. That is an ongoing annual tax on his household budget imposed by ITx’s security failures. He did not choose this expense. He has no alternative if he wants to know whether someone is stealing his identity.
• Kyle Castro subscribed to IDshield to monitor his and his minor children’s credit — another ongoing financial burden for a family that simply sought healthcare services. The cost of protecting against the consequences of a corporate failure is being billed directly to the victim.
• Angela Martin spent approximately 40 hours dealing with the aftermath of the breach. That is a full week of working hours. Time spent filing fraud reports, calling banks, monitoring accounts, and disputing unauthorized transactions is time that is not spent earning income, caring for family, or living life. This time cost is regressive: it falls hardest on people who cannot pay someone else to handle it.
• The complaint estimates that the matter in controversy exceeds $5 million for a class of over 100 people. This figure, even if fully recovered, would not begin to account for the aggregate time, stress, and ongoing financial exposure borne by over one million victims.
• CHS, which posted $12.2 billion in revenue in 2022, had the resources to build and maintain industry-standard security. The decision not to — or the decision to prioritize other expenditures over adequate vendor security oversight — was a choice made by a corporation with enormous financial power against people who had no leverage and no meaningful alternative.

The “Cost of a Life” Metric

How It Was Supposed to Work vs. What Actually Happened

What Now? Who to Hold Accountable and How to Fight Back

The companies responsible for this breach are still operating, still holding health data, and still processing medical records for millions of Americans. The class action is ongoing. Here is what you can do and who you need to watch.

The Corporate Defendants

The complaint names specific corporate leadership roles. Where the source document identifies individuals by role or as LLC members, they are listed here:

• Community Health Systems, Inc. (CHS): Publicly traded on the NYSE (ticker: CYH). Operates 78 hospitals across 15 states. $12.2 billion in 2022 revenue. Principal place of business: 4000 Meridian Blvd., Franklin, Tennessee 37067.
• CHSPSC, LLC: CHS’s professional services subsidiary that contracts with vendors on behalf of all CHS-affiliated entities. Same address as CHS.
• Brightline, Inc.: Principal place of business: San Mateo, California. Pediatric mental health provider backed by over $200 million in venture capital. Employer-facing model means patients have no direct contractual relationship to enforce data rights.
• Imagine360, LLC: Members Stephen Kelly (Pennsylvania) and Charles Walters, III (Georgia). Principal place of business: 1550 Liberty Ridge Dr. #330, Wayne, Pennsylvania.
• Intellihartx, LLC (ITx): Sole member Phillip R. Grower (Ohio). Principal place of business: 129 E. Crawford St., Suite 360, Findlay, Ohio 45840.

Regulatory Watchlist

• HHS Office for Civil Rights (OCR): The federal agency that enforces HIPAA. OCR already extracted $2.3 million from CHSPSC for the 2014 breach. It has authority to investigate again, issue corrective action plans, and impose civil monetary penalties for the 2023 breach.
• State Attorneys General: Twenty-eight AGs jointly prosecuted CHS for the 2014 breach. Michigan AG Dana Nessel specifically called out the Fortra breach in May 2023. Contact your state AG to demand investigation into whether state breach notification laws were violated by the defendants’ multi-month notification delays.
• Federal Trade Commission (FTC): The FTC has authority over unfair and deceptive trade practices. Healthcare companies making explicit security promises they don’t keep fall within FTC jurisdiction. The FTC has been increasingly active on data security enforcement.
• Securities and Exchange Commission (SEC): CHS is publicly traded. Its SEC Form 8-K disclosures on the breach are in the public record. The SEC has active data breach disclosure rules for public companies. Verify CHS’s disclosures for completeness and timeliness.
• CISA (Cybersecurity and Infrastructure Security Agency): Responsible for critical infrastructure security, including healthcare. CISA maintains advisories on ransomware groups including Clop. Filing incident reports with CISA creates a public record and can trigger federal investigation.

How to Protect Yourself and Fight Back

• If you received healthcare services from any CHS-affiliated hospital, Brightline, Imagine360, or any ITx billing client (including CoxHealth, AtlantiCare Regional Medical Center, SoutheastHealth, Fulton County Medical Center, or Life Laboratories) between 2022 and 2023, check whether you received a data breach notice. If you did not receive a notice but believe you were affected, contact the HHS Breach Notification portal.
• Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) immediately. A credit freeze is free and prevents new accounts from being opened in your name. It is the single most effective step against the identity theft this breach enables.
• File a complaint directly with HHS OCR at hhs.gov/hipaa/filing-a-complaint if you believe your HIPAA rights were violated. OCR takes individual complaints and uses them to build enforcement cases.
• Join or monitor the class action. The consolidated MDL is Case No. 24-md-03090-RAR in the Southern District of Florida. Court filings are publicly accessible via PACER. If you are a potential class member, consult a plaintiffs’ attorney about your standing.
• Organize with others in your community who use CHS-affiliated hospitals. These facilities disproportionately serve rural and lower-income communities in Alabama, Mississippi, Tennessee, and other states where CHS operates. Local organizing pressure on hospital boards and state legislators can force accountability that federal agencies move too slowly to deliver.
• Demand that your employer ask hard questions about the data security practices of any company it uses for employee health benefits — including mental health platforms like Brightline and plan administrators like Imagine360. Your employer hands your PHI to these companies. They need to audit who they are giving it to.
• Support legislative efforts to strengthen HIPAA’s breach notification deadlines and increase civil penalties to levels that actually deter multi-billion dollar corporations. At $1.70 in penalties per victim, the current system is a cost of doing business, not a deterrent.