HealthEquity data breach exposes protected health information – ET CISO
https://etimg.etb2bimg.com/thumb/msid-111594116,imgsize-41420,width-1200,height=765,overlay-etciso/data-breaches/healthequity-data-breach-exposes-protected-health-information.jpg
Healthcare fintech firm HealthEquity has disclosed a data breach following the compromise of a partner’s account, which was used to infiltrate the company’s systems and steal protected health information. The breach was identified after the company detected “anomalous behavior” from a partner’s personal device, prompting an investigation.
The investigation revealed that hackers had compromised the partner’s account, gaining unauthorized access to HealthEquity’s systems and exfiltrating sensitive health data. According to an SEC filing, “The investigation concluded that the partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the partner’s systems.”
HealthEquity is a leading provider of health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans. The company manages millions of benefit accounts, partnering with numerous employers and health plans.
Although the exact impact and number of affected individuals have not been disclosed, HealthEquity has begun notifying those impacted. The company is offering complimentary credit monitoring and identity restoration services to mitigate the risk for exposed individuals.
HealthEquity’s internal investigation found no evidence of malware on its systems, and there have been no technical interruptions. “All business operations and services remain fully available,” the company stated. They are currently evaluating the incident’s impact and the cost of its response efforts but noted that they “do not believe the incident will have a material effect on its business or financial results.”