Security at Included Health

Our goal is to maintain the trust of our members, clients, employees and other stakeholders by keeping their data safe and secure. We accomplish this by ensuring our Included Health systems and processes, as well as those of our business partners, are meeting critical industry standards related to confidentiality, integrity and availability of information.

How do I contact security?

If you have any questions about Security at Included Health, please don’t hesitate to contact us by e-mail at, or by mail:

Included Health
1 California Street, Ste. 2300
San Francisco, CA 94111

Do you have a bug bounty program? 

Our company recognizes the importance of security, privacy and community. We value the input of hackers acting in good faith to help us maintain a high standard for our users. This includes encouraging responsible vulnerability research as well as the disclosure of security vulnerabilities when located.

If you or someone you know would like to participate in our bug bounty program, please go to our bug bounty site to register. Thank you!

Beware of recruiting scams. 

Included Health does not ask prospective job applicants for information about their bank accounts, credit history or passwords to financial accounts. If you see a job posting on a site other than or are asked for personal financial or security information in response to a job application, this is likely a fraudulent job listing post hosted by spammers posing as Included Health to mislead job applicants. You can validate all Included Health job postings on

Spammers also create phony aliases such as “” to mimic our company and/or brand names in an effort to commit identity theft or other forms of fraud. 

Our recruitment process would not include the following activities:

  • Contact candidates through non-company email domains and teleconference applications.
  • Require employees to purchase start-up equipment from the company
  • Require employees to pay upfront for background investigations or screenings.
  • Request credit card information.
  • Reach out to candidates for job postings not posted on
  • Request candidates for PII and bank account information for payroll purposes prior to hire
  • Perform interviews or send hiring documentation via text message

If you receive this type of suspicious email or text activity, please alert the FBI’s Internet Crimes Complaint Center.

Changes to Single Sign On

As part of our commitment to keep our members’ data safe, we are making changes to how members can access their accounts. We’ve added support for OpenID Connect single sign-on (SSO), an industry standard identity layer built on top of OAuth 2. OpenID Connect will be available to all customers on January 1, 2023. 

We have ended support for new implementations of Identity Provider (IdP) initiated security Assertion Markup Language Single Sign-on (SAML SSO) connections. This is in line with our commitment to security and industry best practice.  IdP-initiated SAML SSO connections will be retired on January 1, 2024. We will continue to support Service Provider initiated SAML.