HealthEquity reports data breach through a third party partner

On Tuesday, HealthEquity, a provider of health tech services, reported a data breach that compromised the protected health information (PHI) of certain customers.

The breach was detected following the identification of unusual activity on a device used personally by a business partner. It was determined that the partner’s account had been compromised, allowing unauthorized access to members’ data.

The breach was initially detected on March 25, prompting immediate remedial actions and the initiation of an extensive forensic investigation, which concluded on June 10.  The compromised vendor account had accessed HealthEquity’s SharePoint data.

HealthEquity describes the incident as isolated and claims that their transactional systems, where integrations occur, remained unaffected by the breach. No details are disclosed about the types of exposed data or the number of affected individuals.

The company has been actively notifying partners, clients, and members about the incident and collaborating with law enforcement and cybersecurity experts to prevent future breaches.

Update - as of 29th of July, HealthEquity has reported that the incident has compromised the information of 4,300,000 individuals

The compromised data includes:

• Full names
• Home addresses
• Telephone numbers
• Employer and employee IDs
• Social Security Numbers (SSN)
• General dependent information
• Payment card information (excluding numbers)

The exposed data was stored in an unstructured data repository outside the core systems of HealthEquity. Unauthorized sessions were terminated, and IP addresses associated with the intruders were blocked. Additionally, a global password reset was implemented for the compromised vendor account used to access the remote database.

To mitigate the impact, HealthEquity is offering a two-year credit monitoring and identity theft protection service through Equifax, with enrollment instructions provided in the notification letters.