Information on data security incident involving health benefits vendor
Update as of May 31, 2023: After the initial information about this data security incident was posted, Stanford learned that more Stanford University employees and retirees were impacted than was originally known. The vendor, Brightline, has sent notifications to all individuals whose information was part of this incident. Updated information about the populations affected by this incident is provided in bold type below. A set of frequently asked questions also has been posted.
We are writing to share information about a recent data security incident experienced by a vendor that affects portions of our community. The vendor, Brightline, offers virtual behavioral and mental health services for the children of benefits-eligible employees and postdoctoral scholars across Stanford’s group health plans, including Stanford Health Care, Stanford Health Care Tri-Valley, Stanford Medicine Children’s Health, Stanford Medicine Partners, and Stanford University.
For benefits-eligible employees in Stanford’s group health plans for Stanford Health Care, Stanford Health Care Tri-Valley, Stanford Medicine Children’s Health, and Stanford Medicine Partners – as well as for benefits-eligible postdoctoral scholars of Stanford University – only participants with dependents under the age of 18 were affected by this data security incident.
UPDATE: Beyond the above populations, to support determination of eligibility for Brightline’s services and population health objectives, Stanford University’s benefits administrator shared with Brightline demographic information for certain Stanford University employees and dependents who were enrolled in group health plans at any point between March 2022 and January 2023. This information was also affected by the breach, we now understand. We also understand that a third-party group health plan administrator also shared data with Brightline for certain Stanford University retirees and insureds outside of Brightline’s service provider range, and this data also was affected.
Brightline began notifying the affected individuals in early April 2023 and we understand that all affected individuals have now been notified.
Brightline’s investigation determined that the incident involved data that were mostly demographic in nature, such as subscriber and dependent names, contact information, member ID, dates of birth, and coverage start/end dates. No Social Security numbers or financial accounts were included, nor did the files contain anything related to medical services, conditions, diagnoses, or claims for the plan participant or their dependent.
If you are affected by this data security incident, you will have received a letter (or letters, if you have dependents) from Brightline. Each letter has a unique code for the member and/or dependent to register for free identity theft and credit monitoring. Brightline also has a call center available to answer your questions. More information is available on Brightline’s website. Stanford also has posted a set of frequently asked questions, available here. Employees and their eligible dependents can continue to use Brightline’s virtual services during this time.
We sincerely regret any inconvenience this incident may cause the affected individuals. The confidentiality, privacy, and security of personal information continue to be important priorities for Stanford, and also for the vendors we engage to provide services for our community. We are working with our service providers to assure that information shared in the future is limited to the populations eligible for Brightline’s services.
Raina Rose Tagle
Senior Associate Vice President and Chief Risk Officer
Stanford University and Stanford Medicine
Interim Chief Compliance and Privacy Officer
Stanford Health Care and Stanford Medicine Children’s Health