STANFORD — The personal information of some Stanford University employees and postdoctoral students, along with their dependents, was stolen in a data breach earlier this year, officials said.
The breach involved Brightline Inc., a provider of virtual behavioral and mental health services for the children of benefits-eligible employees and postdoctoral students across Stanford’s group of health plans, according to an April 7 letter from leaders at the university and the health-care system. The plans include Stanford Health Care, Stanford Health Care Tri-Valley, Stanford Medicine Children’s Health and Stanford Medicine Partners.
The Stanford letter was sent to colleagues by Raina Rose Tagle, senior associate vice president and chief risk officer for Stanford University and Stanford Medicine, and Sondra Hornsey, interim chief compliance and privacy officer for Stanford Health Care and Stanford Medicine Children’s Health.
In a statement Thursday, Brightline said one of its vendors, Forta, which provides file transfer services, detected suspicious activity within its software on Jan. 30. An investigation by Forta “identified unauthorized access to and acquisition of data from certain customers’ accounts,” including Brightline’s, according to the statement.
“Forta also indicated that it promptly notified law enforcement and is cooperating with their investigation of the incident,” Brightline said.
After learning about the data breach on Feb. 4, Brightline said it immediately implemented its emergency response plan and confirmed that the unauthorized access was terminated.
In their letter, the Stanford executives said Brightline determined that the breach affected only health plan participants with dependents under the age of 18 and involved “mostly demographic” information, including subscriber and dependent names, contact information, member IDs, dates of birth, and coverage start and end dates.
No Social Security numbers or financial accounts were exposed in the data breach and the stolen files did not contain anything related to medical services, conditions, diagnoses or claims for the plan participant or their dependent, Tagle and Hornsey said.
When asked for the exact number of individuals affected by the breach, a spokesperson from Stanford Health directed this news organization to its original statement and declined to clarify further.
In its statement, Brightline said it is offering two years of complimentary identity theft and credit monitoring to impacted individuals. The company has also set up a toll-free number — 833-570-2987 — to share additional information about the breach.
“We sincerely regret any inconvenience this incident may cause the affected individuals,” the Stanford executives said in their letter. “The confidentiality, privacy, and security of personal information continue to be important priorities for Stanford, and also for the vendors we engage to provide services for our community.”
