SUBSTITUTE WEBSITE NOTICE

RiverSpring Health Plans – Notice of Unauthorized Access to Personal Information

April 14, 2021

RiverSpring Health Plans (“RiverSpring”) experienced a recent cybersecurity incident that may have involved unauthorized access to personal information.  On September 14, 2020, an unauthorized individual gained access to the email account of a RiverSpring employee through a phishing attack.  During this incident, malware was installed that may have accessed and removed certain limited data from the email account.  The threat was promptly detected, and by September 15, 2020, RiverSpring proactively blocked the unauthorized user from the email account by changing account credentials and expelled the malware.  A review of available log data shows no further unauthorized access to the email account occurred.h

Upon learning of the incident, an investigation was launched under the direction of outside legal counsel in coordination with a leading forensics firm.  On February 17, 2021, RiverSpring determined that certain personal information may have been accessed during the incident.  Categories of personal information varied for each affected individual and may have included demographic information (first and last name, address or date of birth), member ID, Medicare ID, Medicaid ID and/or Social Security number, and references to medical information (such as information about healthcare providers).  RiverSpring’s investigation confirmed that the information involved did not include credit card numbers or other financial information.

RiverSpring has no indication that any personal data was actually viewed or misused.  As a precautionary measure, however, RiverSpring is notifying potentially impacted individuals and offering one-year of complimentary credit monitoring.  RiverSpring has and continues to take steps to protect the confidentiality of individuals’ information and to prevent a similar event from occurring in the future. RiverSpring has removed the malicious code from its systems, changed passwords for various email accounts, and deployed enhanced software protections to help defend against any further intrusion.  RiverSpring has also conducted additional employee training to identify and report phishing emails.

RiverSpring take the confidentiality of personal information very seriously.  Impacted individuals who have any questions regarding the incident or who would like to inquire about complimentary credit monitoring should not hesitate to contact Experian at 1-877-525-6943 for further assistance.

 This notice is being provided in accordance with the substitute notice requirements of the Health Insurance Portability and Accountability Act (HIPAA), as amended by Health Information Technology for Economic and Clinical Health (HITECH) Act.  RiverSpring has notified impacted individuals and will notify relevant regulatory bodies, including the U.S. Department of Health and Human Services (HHS).