Signify Health, LLC ("Signify" ) - beach notification
State of New Hampshire
Office of Attorney General
33 Capitol Street
Concord, New Hampshire 03302
A P ROF ESS I ONAL CORPORATION
ATTORN EYS AT LAW
450 Sen try Parkway,Suice200
Blue Bel~ Pennsylvania 19422
Teleph one: (610) 567-0700
Fax: (610) 567-0712
www.C-WLJ\W.com
March 11 , 2021
RE: Security Incident Notification
To Whom It May Concern:
MAR 15 2021
Visit us o nline:tt • J
www.C-WLJ\W.com
Please accept this Notification of Security Incident (''Notification") on behalf of our client,
Signify Health, LLC ("Signify" ). By way of background, Signify serves as a Business Associate
to a number of Covered Entities under the Health Insurance Portability and Accountability Act
("HIPAA"). As a Business Associate, Signify is entrusted with certain personally identifiable
and/or medical information ("Protected Data") on behalf of its Covered Entity clients ("Clients" ).
The details of this security incident ("Incident" ) follow.
Scope of Employee 's Role and Misconduct
On October I 2, 2020, Signify discovered that an employee inappropriately published his
login credentials to a subscription-based job board. This employee published his credentials to
secure a coding specialist to help him write a job-related script. According to the employee, they
were unaware that they had published their login credentials on the job board at the time of the
incident. Signify did not know, consent to, or condone this action; moreover, the employee violated
Signify's established policy and Code of Conduct. Signify has since terminated this employee.
This employee was a low-level IT Support Specialist whose job was to receive, log, triage ,
and track IT support requests in ticketing software called "Jira" . Jira is stand-alone software that
is not connected to any of Signify's core technology assets. And, as an IT Support Specialist,
Signify only provisioned this employee with access to Jira. In other words, the published
credentials only permitted access to Jira - they did not and could not be used to access any other
systems or technology environments maintained by Signify.
Office of Attorney General
33 Capitol Street
Concord, New Hampshire 03302
A P ROF ESS I ONAL CORPORATION
ATTORN EYS AT LAW
450 Sen try Parkway,Suice200
Blue Bel~ Pennsylvania 19422
Teleph one: (610) 567-0700
Fax: (610) 567-0712
www.C-WLJ\W.com
March 11 , 2021
RE: Security Incident Notification
To Whom It May Concern:
MAR 15 2021
Visit us o nline:tt • J
www.C-WLJ\W.com
Please accept this Notification of Security Incident (''Notification") on behalf of our client,
Signify Health, LLC ("Signify" ). By way of background, Signify serves as a Business Associate
to a number of Covered Entities under the Health Insurance Portability and Accountability Act
("HIPAA"). As a Business Associate, Signify is entrusted with certain personally identifiable
and/or medical information ("Protected Data") on behalf of its Covered Entity clients ("Clients" ).
The details of this security incident ("Incident" ) follow.
Scope of Employee 's Role and Misconduct
On October I 2, 2020, Signify discovered that an employee inappropriately published his
login credentials to a subscription-based job board. This employee published his credentials to
secure a coding specialist to help him write a job-related script. According to the employee, they
were unaware that they had published their login credentials on the job board at the time of the
incident. Signify did not know, consent to, or condone this action; moreover, the employee violated
Signify's established policy and Code of Conduct. Signify has since terminated this employee.
This employee was a low-level IT Support Specialist whose job was to receive, log, triage ,
and track IT support requests in ticketing software called "Jira" . Jira is stand-alone software that
is not connected to any of Signify's core technology assets. And, as an IT Support Specialist,
Signify only provisioned this employee with access to Jira. In other words, the published
credentials only permitted access to Jira - they did not and could not be used to access any other
systems or technology environments maintained by Signify.
