Protected Health Information Stolen in HealthEquity SharePoint Breach
HealthEquity has confirmed a breach of its SharePoint data, which included protected health information. HIPAA compliance data breaches have also been reported by Kairos Health Arizona and Ambulnz.
HealthEquity
HealthEquity, a Draper, UT-based financial technology, and business services company, has suffered a cyberattack that has exposed protected health information. HealthEquity provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs), and manages millions of HSAs, HRAs, and other benefit accounts.
HealthEquity explained in an 8-K filing with the Securities and Exchange Commission (SEC) that it recently identified anomalous behavior in a business partner’s device, and said the initial investigation indicates that the device had been compromised and was used to access members’ information. No malware was found on its systems and business operations were unaffected, and while the company is still evaluating the financial impact of the incident, it does not believe that the incident will have any material effect on its business or financial results.
The breach was detected on March 25, 2024, and immediate action was taken to prevent further unauthorized access. A forensic investigation was launched to determine the extent of the breach, which revealed an unauthorized actor accessed and exfiltrated HealthEquity’s SharePoint data. Its transactional systems, where integrations occur, were not affected. HealthEquity has started notifying the affected partners, clients, and members and is offering complimentary credit monitoring and identity theft protection services. The extent of the breach and the types of information involved have not yet been publicly disclosed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
July 29, 2024 Update: The beach involved the personally identifiable information of 4.3 million individuals. Further information is available in this post.
Kairos Health Arizona
Kairos Health Arizona, an employee benefits pool serving public entity employers in Arizona, has discovered that there has been unauthorized access to member data by a former third-party vendor. An investigation was launched which determined that between November 2, 2023, and March 29, 2024, the vendor accessed and downloaded information from a Kairos database.
A review was conducted to determine the types of data involved and confirmed that the downloaded data included names, insurance identification numbers, claims/coverage information, and health information. No Social Security numbers, driver’s license numbers, or financial account information were accessed or downloaded. Notification letters have now been sent to the 14,364 affected individuals and steps have been taken to enhance the security of its network, internal systems, and applications to prevent similar incidents in the future.
Ambulnz
Ambulnz, a subsidiary of DocGo that provides medical transportation and ambulance services, has discovered the protected health information of 4,742 patients has been exposed and potentially stolen in a cyberattack that was detected on April 22, 2024. The forensic investigation confirmed that a threat actor first accessed its network on April 21, 2024, and access was blocked the following day; however, the attack was not detected in time to prevent the threat actor from downloading patient data from its network. The stolen files included names, plus one or more of the following: dates of birth, address, medical record number, patient account number, health insurance identification number, and/or diagnosis and treatment information. A limited number of patients also had their Social Security numbers and/or driver’s license numbers stolen.
