HealthEquity reveals breach affected over four million people


HealthEquity, a major custodian that manages millions of health savings accounts across the US, has revealed that an earlier data breach resulted in the exposure of personally identifiable information (PII) and personal health information (PHI) of over four million people.

The company was alerted of the incident on March 25th, 2024, after observing a “system anomaly” that required “extensive technical investigation,” which went on until June 10th, 2024.

ADVERTISEMENT

HealthEquity discovered that “some unauthorized access” and potential disclosure of protected health information (PHI) and personally identifiable information (PII) was stored in an unstructured external database.

The health benefits provider filed a report with the Securities Exchange Commission (SEC) on July 2nd, 2024, stating that they were in the process of notifying customers after observing an incident earlier this year. The company said that the investigation was ongoing.

As the investigation continued, HealthEquity learned that “a vendor’s user accounts – which have access to an online data storage location – were compromised,” allowing an unauthorized party to access “a limited amount” of data stored in the external database.

The American financial technology and business services company is the leading manager of Health Savings Accounts (HSAs), Flexible Savings Accounts (FSAs), Health Reimbursement Accounts (HRAs), and a range of other lifestyle plans. The company’s revenue reached $861.7 million in 2023.

The health savings provider claims that the majority of the data consisted of sign-up information for accounts and benefits plans.

The personal information affected includes one or more of the following data categories:

  • First names
  • Last names
  • Addresses
  • Telephone numbers
  • Employee ID’s
  • Employers
  • Social Security numbers
  • Dependant information (for general contact only)
  • Payment card information (not payment card number or HealthEquity debit card information)

PII, and particularly PHI, are valuable to attackers as this information can be used to commit identity theft and financial fraud, perform phishing attacks, blackmail affected individuals, and potentially compromise patients’ medical histories and personal information.

ADVERTISEMENT

Furthermore, healthcare data is coveted because of its monetary value on the dark web. Malicious actors can use this information from dark web forums to commit identity theft by submitting false claims to health insurance providers like HealthEquity.

The health benefits provider has arranged for free two-year credit identity monitoring, insurance, and restoration services.

HealthEquity should begin notifying impacted individuals by August 9th, 2024, according to a filing submitted to the Office of the Main Attorney General.