STANFORD — The personal information of some Stanford University employees and postdoctoral students, along with their dependents, was stolen in a data breach earlier this year, officials said.
The breach involved Brightline Inc., a provider of virtual behavioral and mental health services for the children of benefits-eligible employees and postdoctoral students across Stanford’s group of health plans, including Stanford Health Care, Stanford Health Care Tri-Valley, Stanford Medicine Children’s Health and Stanford Medicine Partners, according to a letter Raina Rose Tagle, senior associate vice president and chief risk officer for Stanford University and Stanford Medicine, and Sondra Hornsey, interim chief compliance and privacy officer for Stanford Health Care and Stanford Medicine Children’s Health, sent to colleagues on April 7.
In a statement Thursday, Brightline said one of its vendors, Forta, which provides file transfer services, detected suspicious activity within its software on Jan. 30. An investigation by Forta “identified unauthorized access to and acquisition of data from certain customers’ accounts,” including Brightline’s, according to the statement.
“Forta also indicated that it promptly notified law enforcement and is cooperating with their investigation of the incident,” Brightline said.
After learning about the data breach on Feb. 4, Brightline said it immediately put its emergency response plan in motion and confirmed that the unauthorized access was terminated.
In their letter, Tagle and Hornsey said Brightline determined that the breach affected only health plan participants with dependents under the age of 18 and involved “mostly demographic” information, including subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates.
No Social Security numbers or financial accounts were exposed in the data breach and the stolen files did not contain anything related to medical services, conditions, diagnoses or claims for the plan participant or their dependent, Tagle and Hornsey said.
It was not immediately known how many individuals were impacted by the breach.
In its statement, Brightline said it is offering two years of complimentary identity theft and credit monitoring to impacted individuals. The company has also set up a toll-free number — 833-570-2987 — to share additional information about the breach.
“We sincerely regret any inconvenience this incident may cause the affected individuals,” Tagle and Hornsey said in their letter. “The confidentiality, privacy, and security of personal information continue to be important priorities for Stanford, and also for the vendors we engage to provide services for our community.”
Check back for updates.