Trust & Security

At Spring Health™, we are committed to our members coming first, and this is paramount in ensuring security and privacy within the Spring Health Platform.

We employ processes and technologies across the organization to secure data, systems, and services from intentional and unintentional threats and malicious attacks. Our approach can be summarized as follows:

Identifying and managing security risks to valuable organizational data, systems, and services
Protecting assets by developing, implementing, and operating appropriate levels of controls and safeguards
Employing situational awareness and monitoring capabilities to ensure the timely discovery and detection of security events
Preparing to take appropriate and decisive action when affected by security events
Developing plans and exercises to ensure the resilience of key organizational processes and the ability to return to normal operating conditions quickly and efficiently

Our security program incorporates industry standards in a layered, defense-in-depth approach. We govern our security program consistent with industry best-practice frameworks, which define how we operate on a day-to-day basis, conduct business with customers, and interact with our vendors and business partners.

Spring Health is committed to continually improving and enhancing our security program to meet current and future challenges. As such, we will alter our program accordingly as needed and update this statement when required.

We invite you to check out our trust page at trust.springhealth.com for more in depth information around our Security, Compliance, and Privacy posture.

Vulnerability Disclosure Program

At Spring Health, protecting the privacy and security of our members is fundamental to everything we do. We welcome and encourage responsible security research and value the contributions of the global security community in helping us keep our systems safe. Our Vulnerability Disclosure Program (VDP) provides clear guidelines for researchers to test our publicly accessible systems—such as our web and mobile applications—and responsibly share any security concerns they identify.

Responsible Disclosure Guidelines

When reporting, we ask that you complete the following steps:

Review this Policy.
Complete the submission form linked at the bottom of this page, providing as much detail as possible. We ask that you provide detailed information with sufficient steps to permit our security team to replicate and locate the identified vulnerability.
Do not take advantage of the vulnerability or problem you have discovered. For example, do not download, modify or delete any data that becomes accessible through the discovery of vulnerabilities or problems.
Do not reveal the problem to others without prior written consent. We ask that you refrain from disclosing this issue to third-parties or the public while we work toward resolution because disclosure may increase the potential risks associated with the vulnerability.
Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties.
Provide sufficient information for Spring Health to reproduce the problem if needed. Usually, the IP address or the URL of the affected system and a description of the vulnerability is sufficient, but complex vulnerabilities may require further explanation.
Allow a reasonable amount of time to respond to the issue. Responses will be within two business days, while time to resolution depends on severity and complexity.
Spring Health may choose not to contact or otherwise interact with reporters who decline to identify themselves when making the report.

Noncompliance

Spring Health does not authorize, permit, or otherwise allow (expressly or impliedly) anyone to engage in any illegal activity or in violation of the Spring Health Terms of Use [https://www.springhealth.com/terms-of-service]. Therefore, we note that any party researching vulnerabilities under this Policy must do the following:

Comply with all applicable laws relevant to security research activities. If you engage in any activities that are inconsistent with this Policy, you may be subject to criminal and/or civil liabilities.
Do Not:
- Access, acquire, remove, download, delete or modify data residing in an account that does not belong to you;
- Destroy or corrupt, or attempting to destroy or corrupt, data or information that does not belong to you;
- Execute or attempt to execute any “Denial of Service” attack;
- Post, transmit, upload, link to, send, or store any malicious software;
- Test in a manner that would result in the sending of unsolicited or unauthorized junk mail, spam, pyramid schemes, or other forms of duplicative or unsolicited messages or degrade the operation of any Spring Health properties;
- Testing third-party applications, websites, or services that integrate with or link to Spring Health properties; nor
- Exploit any security vulnerability beyond the minimal amount of testing required to demonstrate that a potential vulnerability exists.

If you have found a potential vulnerability on any system or asset that you believe belongs to Spring Health, we request that you please submit it through this program.

Our Commitment

We take every report seriously. Verified vulnerabilities help us improve our security posture and protect the sensitive health information our members trust us with. While this program does not currently offer financial rewards, we are committed to working openly and collaboratively with the security community.

To report a vulnerability to Spring Health’s Security Team please complete this form based on the guidelines provided above.

How Supporting Neurodiversity Increased Overall Mental Health and Well-Being at Nuvance Health

The Cost Behind Reporting: Meeting the Mental Health Needs of Journalists