A Federal judge has given preliminary approval of a $20 million settlement to resolve a multidistrict lawsuit against the software company Fortra in association with a 2023 hacking incident that impacted the Fortra GoAnywhere managed file transfer (MFT) solution. The Clop ransomware group identified a zero-day vulnerability in the software and exploited it to acquire access to customer information.
Fortra faced multiple class action lawsuits because of the data breach. The proposed settlement covered eight of nine class action lawsuits filed against Fortra and its healthcare customers. The lawsuits were combined in a multidistrict lawsuit – In re: Fortra File Transfer Software Data Security Breach Litigation – filed in February 2024 at the Southern District of Florida. The lawsuit claims cover Fortra, NationsBenefits Holdings LLC, NationsBenefits LLC, Santa Clara Family Health Plan, Aetna Inc., Aetna Life Insurance Co., Anthem Insurance Companies Inc., Community Health Systems Inc., Elevance Health Inc., CHSPC LLC, Brightline, Intellihartx LLC, and Imagine360.
The lawsuits claimed negligence, negligence per se, breach of confidence, breach of implied contract, breach of fiduciary duty, breach of contract, and violations of the California Consumer Privacy Act, California Consumer Records Act, California Consumers Legal Remedies Act, California unfair competition law, and consumer protection regulations in a few other states.
Another $7 million settlement was concluded involving the plaintiffs and Brightline in July 2024, which got final Court approval in February 2025. After global mediation, Fortra reached an agreement to settle all claims against the rest of the defendants. The court has given the settlement preliminary approval, and support will be given to around 5 million people who received data breach notifications.
The settlement has 10 subclasses: Fortra, which includes all members of the primary settlement class, and nine other subclasses, which are for those who got notifications from Aetna, CHS, Brightline, Elevance, Intellihartz, Imagine360, NationsBenefits, Hatch Bank, and Santa Clara Family Health Plan.
According to the terms of settlement, Fortra will create a $20 million fund to pay for claims, attorneys’ costs, class representative awards, and administration expenses. Class members can opt to file a claim to reimburse documented deficits as much as $5,000 per class member or otherwise get a cash payment of approximately $85. All claimants can also get 12 months of dark web monitoring. Brightline subclass members aren’t qualified to get the cash payment and could only file a claim to reimburse losses when they have not yet submitted a claim as per the particular Brightline settlement.
Any excess funds in the settlement will go to the Electronic Privacy Information Center or another non-profit group authorized by the court. Before the settlement is given final approval, all defendants will give the court testimonies on the security procedures applied in line with the data incident, the expenses of which will be shouldered entirely by the defendants and won’t be taken from the settlement fund. Expenses for the required HIPAA certification should be shouldered by the defendant as well.
