On December 2, 2024, we mailed notification letters to certain SAG-AFTRA Health Plan (the Plan) participants (participants) whose information may have been involved in a data incident. On March 14, 2025, following additional review, we notified certain participants including some spouses and dependents who may have also been involved in this incident.

On September 18, 2024, we learned that an employee’s email account had been compromised. The Plan immediately contained and remediated the issue, and with the assistance of leading third-party experts launched an investigation. The investigation determined that, between September 17, 2024 and September 18, 2024, an unauthorized party accessed the contents of a single employee’s email account. This incident resulted from a phishing email, and it is important to note that the Plan’s systems were not impacted. We have also notified law enforcement about this event.

As part of our investigation, we continued analyzing the data in the email account. On February 7, 2025, we determined that the email account may have contained information for certain participants including some spouses and dependents. 

Our investigation determined that the email account contained emails and attachments used for administrative operations that may have included one or more of the following: name, Social Security number, and information associated with claims and health insurance information, such as health plan participant identification number, if applicable.

We take this matter very seriously. After detecting this unauthorized access, we took immediate steps to identify and contain this incident and will continue to implement and evaluate enhanced safeguards and security measures to further protect our systems and reduce the likelihood of a similar future event.

Notified individuals are encouraged to be on the alert for any suspicious activity related to their financial accounts and credit reports. We encourage notified individuals to regularly monitor their credit report, statements, and records to ensure that there are no transactions or other activities that were not initiated or authorized by them. Notified individuals should report any suspicious activity to their financial institution(s) or service provider(s) immediately. Additionally, we are offering complimentary credit monitoring services.

We have set up a designated incident response line to answer questions about the incident. The incident response line can be reached at (888) 458-5706, available 6 a.m. – 6 p.m. PST, except for major U.S. holidays. We remain committed to protecting the confidentiality and security of the information in our care and apologize for the concern this may cause.

Sincerely,

SAG-AFTRA Health Plan

---

Frequently Asked Questions (FAQs) 

Q. What happened?   

On September 18, 2024, we learned that an employee’s email account had been compromised. The Plan immediately contained and remediated the issue, with the assistance of leading third-party experts, and then launched an investigation. The investigation determined that, between September 17, 2024 and September 18, 2024, an unauthorized party accessed the contents of a single employee’s email account. We began analyzing the data in the email account and that process is now complete.

On October 3, 2024, we discovered that the email account contained information related to some Plan participants. On February 7, 2025, we determined that the email account may have contained information for certain participants including some spouses and dependents. This incident was the result of a phishing email, and it is important to note that the Plan’s systems were not impacted. We have also notified law enforcement about this event.

Q. When did The Plan discover the incident?  

On September 18, 2024, we learned that the employee’s email account had been compromised. On October 3, 2024, we discovered that the email account contained information related to some Plan participants. On February 7, 2025, our investigation identified the remaining participants including some spouses and dependents whose information may have been involved in the incident. 

Q. How did this happen? Was this a ransomware attack?  

This incident was the result of a phishing email, and it is important to note that the Plan’s systems were not impacted. This was not a ransomware attack. 

Q. What information/data is involved? 

Our investigation determined that the email account contained emails and attachments used for administrative operations that may have included one or more of the following: name, Social Security number, and information associated with claims and health insurance information, such as health plan participant identification number, if applicable. 

Q. Has this information been misused?

At this time, we have no indication that this information has been misused; however, as a precaution, we encourage you to take steps to protect your information and enroll in the complimentary credit monitoring being provided.

Q. How can I find out if my information may have been affected by this incident? Why am I being informed now? 

On December 2, 2024, the Plan mailed notification letters to certain Plan participants whose information was involved in an email phishing incident. On March 14, 2025, the Plan mailed notification letters to certain Plan participants including some spouses and dependents whose information may have been involved in the incident.

As soon as we learned of the email phishing incident, we immediately began a thorough investigation and worked with third-party experts to identify any potential unauthorized access of the email account.  We also began analyzing the impacted data that was accessed by the unauthorized third-party. On February 7, 2025, we determined that the email account may have contained information for certain participants including some spouses and dependents.

Q. Does this incident only involve the SAG-AFTRA Health Plan? 

Yes. This incident involves SAG-AFTRA Health Plan only.  

It’s important to note that the SAG-AFTRA Health Plan is a separate entity from SAG-AFTRA, the SAG Producers Pension Plan, and the AFTRA Retirement Fund, which were not impacted by this incident.    

Q. Are the systems safe to use? 

Yes. The Plan has contained and remediated the email phishing incident. The Plan’s systems were not impacted, and it is safe to use our Plan’s systems, as well as our email. 

Q. What support and protection is the Plan offering to participants whose data may be involved?  

We remain committed to protecting the confidentiality and security of the information in our care and apologize for the concern this may cause. 

The Plan is offering complimentary credit monitoring services. Please review the letter you were sent, which contains instructions on how to enroll and information about additional steps you can take in response to this incident. A designated call center has been established to help address questions about this incident. Additional information is available by calling the toll-free incident response line at (888) 458-5706 between the hours of 6 a.m. – 6 p.m. PST Monday through Friday.

Q. Why have I seen different discovery dates in the SAG-AFTRA notices?

We understand that you may have seen or heard of different dates regarding when the Plan identified potentially involved individuals. This is because our investigation was an ongoing process during which we identified the potentially involved individuals on different dates. The data analysis process is now complete. The second set of notifications was issued to ensure that all potentially involved individuals were properly informed.