HealthEquity Notifies 165,800 Individuals of Email Security Breach

HealthEquity is notifying 165,800 individuals that some of their protected health information has been exposed as a result of a email security breach.

HealthEquity is a Utah-based company that provides services to help individuals gain tax advantages to offset the cost of healthcare, either through employers or health plans. Those services include health savings accounts (HSAs), health flexible spending arrangements (FSAs), limited purpose FSAs, and dependent care reimbursement accounts (DCRAs).

In order to provide those services, HealthEquity has access to protected health information, some of which is communicated via email for business purposes. On October 5, 2018, HealthEquity’s security team discovered two Office 365 email accounts had been accessed by an unauthorized individual.

On October 20, 2018, following an analysis of the cyberattack, HealthEquity confirmed that two employee email accounts had been breached and that those accounts contained the sensitive personal information of employees and individuals who benefited from its services through their health plan or employer.

The investigation determined that one of the email accounts was accessed by an unauthorized third party on October 5, 2018. The second email account was first breached on September 4, 2018 and was subsequently accessed by an unauthorized individual on multiple occasions up to October 3, 2018.

While the investigation confirmed that the accounts had been accessed, it is currently unclear whether any emails in the accounts were opened or copied, although no reports of misuse of information have been received.

The types of information that were potentially accessed include names, account types, Social Security numbers, employer names, and health plan names.

Many breached entities that discover highly sensitive protected health information has been compromised offer credit monitoring and identity theft protection services to breach victims. Those services are usually provided for 12 months or, less frequently, for 24 months without charge. HealthEquity took the decision to offer breach victims access to those services for five years without charge. Breach victims will also be protected by a $1,000,000 insurance reimbursement policy. Those services have been provided through MyIDCare.

In a statement provided to HIPAA Journal, HealthEquity explained, “We are committed to protecting the privacy of the individuals we serve and regret the inconvenience this attack may have caused. The affected individuals are our top priority and we are working to provide them with assistance, including offering five years of free identity theft and credit monitoring services. We responded as quickly and responsibly as possible to this attack, which was limited to access through two Microsoft Outlook 365 email accounts. Although none of our systems were accessed or impacted, we continue to be vigilant and proactive in protecting the personal information of the individuals we serve.”

In addition to providing extended protection to breach victims, HealthEquity has taken steps to improve email security and has updated its security protocols. Measures currently taken include the provision of further training to its workforce, the implementation of additional technical security controls, and enhanced monitoring of email accounts for suspicious activity.

Update: 22/11/2018: The breach report submitted to the Department of Health and Human Services indicates 165,800 individuals were impacted by the incident. The article has been updated to reflect the confirmed number of victims.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.