CCPA Request Tracker

All data is for the year 2022

Last update: January 13, 2023

Data deletion requests: 184

Data access requests: 1

Opt out requests: Castlight Health does not sell your Personal Information for any purposes.

Average turnaround time for all requests: 3 days


Does Castlight sell my personal data?

Castlight Health does not sell any personal data. 

How can I access my personal data from Castlight?

You acknowledge that while we make every effort to keep you updated on important changes to your You may request access to the data Castlight has related to your account by emailing [email protected].

How can I delete my personal data from Castlight’s platform?

You may request your data to be deleted from Castlight by emailing [email protected]. Please note once this is completed you will no longer have access to your account.

What type of data does Castlight collect?

Castlight is a healthcare navigation platform used by employees to easily navigate healthcare at the lowest cost. Customers supply the information needed through eligibility files either directly or through benefits providers. Castlight collects information from end users based on completion of surveys and health assessments in our application. Additionally, Castlight will provide users with information on their claims history as provided by their health insurance providers.

Is there a documented identity theft prevention program approved by management in place to detect, prevent, and mitigate identity theft?

Yes. Castlight employs several techniques to ensure a strong Identity Theft Prevention Program. Castlight receives an employee’s information from our customers directly. Once the information is received, an end user has the ability to rectify any information gaps through their employer once they are verified. In addition, our Support team as well as automated fraud detection tools are consistently monitoring for any suspicious activity: logins from out of the ordinary locations, and unpredictable actions taken on an account, for example.

What is Personal Health Information?

The Care Guidance Service will provide assistance to help you understand your health care coverage and

PHI (Personal Health Information) is any information that is related to health status, provision of healthcare, or payment of healthcare that can be linked to an identifiable (specific) individual and is collected by a Covered Entity or Business Associate.   

PHI may also include data that falls into the category of SPI (Sensitive Personal Information). SPI is information or data derived from Personal Information that is highly sensitive in nature and if lost or inadvertently disclosed could result in substantial harm or embarrassment to an individual. Examples of SPI vary across organizations but may include the following:   

  • SSN  
  • Date of Birth  
  • Biometric or Genetic Records  
  • Political or Religious views   
  • Race or Ethnicity  
  • Sexual Orientation  
  • Bank Account Numbers 
Do individuals have a right to download their Personal Health Information outside of  Castlight’s secure platform?

Yes. Under HIPAA (Health Insurance Portability and Accountability Act), if a Covered Entity or Business Associate maintains a designated record set (designated healthcare records) pertaining to the individual the individual has a right to access and transmit their Personal Information (including Personal Health Information)  Although Castlight does not maintain a designated record set as defined by HIPAA , we follow the guidance under HIPAA in most instances and therefore permit users of our application access and download to certain personal information including Personal Health Information.    Source:  Depart of Health and Human Services: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.

What are some of the risks associated with an unsecure download of Personal Health Information?

Some of the risks associated with an unsecure download include but are not limited to the following:   

  • Hacking/ Impermissible use or interception by a third party (this may include a bad actor or third-party service provider)  
  • Loss of theft of device with downloaded information  
  • Risk of improper disposal or record retention on the device used for downloading  
  • Unencrypted data (including unencrypted transmission of data to a third party)   
What are some security considerations and recommended safeguards prior to downloading and transmitting data outside of Castlight’s secure platform?   

Castlight highly recommends but does not require the following safeguards be put into place on your device settings prior to download and/ or transmission      

  •     Ensure your mobile or desktop device is encrypted  
  •     Password protection for mobile devices and other hardware endpoints  
  •     Transmitting any downloaded data via a secure channel 
Is Castlight responsible if it complies with an individual’s request to receive Personal Health Information in an unsecured manner? 

No.  Under the HIPAA Privacy and Security Rules, while Castlight is responsible for ensuring reasonable safeguards in implementing an individual’s request Castlight is not responsible for a disclosure of PHI while in transmission to the individual based on the individual’s access request to receive the PHI in an unsecure manner if proper precautions are taken to notify the individual of the risk involved.  

Additionally, while Castlight is required by the Privacy and Security Rules to implement reasonable safeguards to protect PHI, individuals have a right to receive a copy of their PHI by unencrypted means if the individual requests access in this manner.  In such cases, Castlight  provide a brief warning to the individual (per HIPAA guidance) that there is some level of risk that the individual’s PHI could be read or otherwise accessed by a third party and confirm that the individual still wants to receive PHI in this manner.  Source:  Depart of Health and Human Services: Individuals’ Right under HIPAA to Access their Health Information 45 CFR § 164.524.

Where can I go for more information on this topic? 

For general inquiries regarding Castlight’s Privacy practices, please refer to our Policy Statement.  For additional information and resources on this topic please refer to the Department of Health and Human Resources Website or email Castlight’s Privacy Team at: [email protected].

How does Castlight Health keep my data secure?

Trusted by hundreds of employers, Castlight is committed to investing in our security to safeguard your data.


Our infrastructure is hosted in state-of-the-art data centers that meet or exceed industry standards and have achieved, at a minimum, ISO 9000, ISO 27001, PCI-DSS and SSAE18 certifications.


Our controls are based on principles such as least privilege, strong authentication, irrefutable audit trails and guaranteed data integrity. They are universally enforced across our environment to afford a consistent level of protection.


Castlight Health conducts a background investigation of all employees and contractors prior to employment. As part of onboarding, the employees and contractors undergo mandatory security training and receive continuous training throughout their Castlight career.


We regularly undergo independent verification of our security, compliance and privacy controls. Additionally, an annual penetration testing is conducted by a third party to review that our applications are adequately protected and free of vulnerabilities.

What is Castlight Health’s security philosophy?

Our security philosophy is simple. You are trusting us with your healthcare data and we earn that trust through our everyday actions.

Castlight Health maintains a formal and comprehensive security program designed to ensure the confidentiality, integrity and availability of our systems and data while protecting against the threats faced by a modern enterprise.

Castlight Health believes everyone plays a critical role in keeping our data secure. As such, we have a purpose-built organizational culture that is both aware and proactive about security risks. Our security culture is fostered via company-wide training, regular communications and dedicated personnel working everyday to enhance our security posture.