HealthEquity Confirms Breach Involved PII of 4.3 Million Individuals
In early July, the HIPAA Journal reported on a data breach at the Draper, UT-based financial technology and business services company, HealthEquity. HealthEquity had disclosed in an 8-K filing with the Securities and Exchange Commission (SEC) that it had identified suspicious activity in the device of a business partner. The initial findings of the investigation indicated unauthorized access to the device and member information. HealthEquity has recently notified the Maine Attorney General about the incident and has confirmed that the personal identifying information (PII) of 4,300,000 individuals was exposed and potentially stolen, including the personal information of 13,480 Maine residents.
HealthEquity, the parent company of WageWorks Inc. and Further Operations LLC, provides health savings account (HSA) services and other consumer-directed benefits solutions, including health reimbursement arrangements (HRAs). The company manages millions of HSAs, HRAs, and other benefit accounts. In the notification, HealthEquity explains that it was notified about a systems anomaly on March 25, 2024, that required extensive technical and forensic investigation. The investigation was completed on June 10, 2024, and on June 26, 2024, it was determined that there had been unauthorized access to files containing PII.
HealthEquity has confirmed that the breach involved a vendor’s user accounts, which had permission to access an online data storage location (SharePoint). There was no unauthorized access to its core systems. When the breach was detected, all potentially compromised vendor accounts were disabled as well as all active sessions. All IP addresses linked to the activity were blocked and a global password reset was performed for the affected vendor. HealthEquity did not disclose how access was gained to the vendor’s accounts.
HealthEquity explained that the compromised data primarily included sign-up information for the accounts and benefits that the company administers. The breached data varied from individual to individual and may have included names in combination with one or more of the following: employee ID, employer, address, telephone number, Social Security number, general contact information of dependents, and payment card information, but not payment card number/HealthEquity debit card information.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
HealthEquity said it will start mailing individual notifications on August 9, 2024, and is providing two years of complimentary credit identity monitoring, insurance, and restoration services. HealthEquity has enhanced its security and monitoring efforts, internal controls, and security posture.
