It’s been a while since I’ve noticed a third-party breach of a wellness vendor, but here we go, it seems. SimplyWell (“Viverae”) works with Healthbreak, who provides wellness services to the firm in question.
SimplyWell, Inc. (“SimplyWell”) recently discovered a data privacy incident that may affect the privacy of certain Lincoln Electric System (“LES”) employees’ personal health information. SimplyWell works with LES’ vendor, Healthbreak, Inc., for the provision of wellness services.
On Feb. 9, 2018, LES began a new wellness challenge that was added to the “Wellness Events” section of the SimplyWell-LES private portal. The page included a hyperlink that erroneously led to a file that contained a list of LES members who were tobacco-free as of Oct. 27, 2017. On March 23, 2018, LES discovered this information and notified SimplyWell of this erroneous link. The file was immediately deleted from the portal and SimplyWell commenced an investigation to confirm the nature and scope of this incident. The investigation determined the accessible information was limited to an employee’s name, gender, date of birth, SimplyWell identification number, and the employee’s status as a non-smoker. The investigation further determined that the portal for the wellness program could not be and was not accessed by anyone outside of LES, Healthbreak, or SimplyWell.
SimplyWell takes the security of personal information in its care very seriously, and has determined that this potential breach was the result of human error at SimplyWell. SimplyWell has the technical security controls, system safeguards, policies, and processes in place in order to protect the information to which SimplyWell has access. SimplyWell provided written notice of this incident to those individuals whose information was present in the inadvertently posted file. While the information present in the inadvertently posted file was limited, SimplyWell is reminding potentially affected individuals to remain vigilant for suspicious activity.
Potentially impacted individuals may also find information regarding identity theft, fraud alerts, security freezes, and the steps they may take to protect their information by contacting the credit bureaus, the Federal Trade Commission, or their state Attorney General. The Federal Trade Commission can be reached at: 600 Pennsylvania Avenue NW, Washington, D.C. 20580; www.identitytheft.gov; 1-877-ID-THEFT (1-877-438-4338); and TTY: 1-866-653-4261. Additional information on obtaining a free credit report annually from each of the three major credit reporting bureaus can be found by visiting www.annualcreditreport.com, calling 877-322-8228, or contacting the three major credit bureaus directly at:
- Equifax, P.O. Box 105069, Atlanta, GA 30348, 800-525-6285, www.equifax.com
- Experian, P.O. Box 2002, Allen, TX 75013, 888-397-3742, www.experian.com
- TransUnion, P.O. Box 2000, Chester, PA 19016, 800-680-7289, www.transunion.com
SimplyWell sincerely regrets any inconvenience this incident may have caused. The safety and security of all member information is a top priority for SimplyWell and Healthbreak. If individuals have any questions or would like additional information regarding this incident, they are asked to contact the SimplyWell Customer Care number at 1-877-991-9355 (and select option #7).
SimplyWell (known publicly by former company name, Viverae®, will rebrand under its legal name, SimplyWell, in November 2018) is a workplace wellness technology company based in Dallas, Texas. Rooted in care and focused on reducing health risks, our innovative application empowers employers to create cultures of health and well-being.
SimplyWell’s workplace wellness programs are compliant with Affordable Care Act requirements and applicable law, and National Committee for Quality Assurance and national health advocacy group standards.
SOURCE SimplyWell, Inc.