Data Breach Notifications

Entity Information

  • Type of Organization: Healthcare
  • Entity Name: Castlight Health, Inc.
  • Street Address: 150 Spear Street
  • City: San Francisco
  • State, or Country if outside the US: California
  • Zip Code: 94105

Submitted By

  • Name: Gretchen Ramos
  • Title: Shareholder, Privacy Counsel
  • Firm name (if different than entity): Greenberg Traurig
  • Telephone Number: 415-655-1319
  • Email Address: ramosg@gtlaw.com
  • Relationship to entity whose information was compromised: Outside Counsel

Breach Information

  • Total number of persons affected (including residents): 55
  • Total number of Maine residents affected: 1
  • If the number of Maine residents exceeds 1,000, have the consumer reporting agencies been notified: No
  • Date(s) Breach Occured: 06/22/2020
  • Date Breach Discovered: 06/22/2020
  • Description of the Breach:
    • Other
    • If other, please specify: On July 1, 2020, Castlight determined that an unknown bad actor attempted to impersonate Castlight users to gain access to one user account on Castlight’s application. Based on the investigation, Castlight does not believe the bad actor obtained login credentials through a compromise of its system. Instead, the access was conducted by a bad actor who appeared to be using email and password combinations from other data breaches that are available for illicit download on the internet. The information that may have been compromised as a result of the unauthorized access includes the personal information and unsecured health information that is displayed in the user’s Castlight account. This information may include first and last name, password associated with the user’s account, health information and health insurance information.
  • Information Acquired - Name or other personal identifier in combination with:

Notification and Protection Services

  • Type of Notification: Written
  • Date(s) of consumer notification: 07/22/2020
  • Copy of notice to affected Maine residents: Castlight - Maine Template.pdf
  • Date of any previous (within 12 months) breach notifications: None
  • Were identity theft protection services offered: No
  • If yes, please provide the duration, the provider of the service and a brief description of the service: