HealthEquity breach may have affected 4.3M people

HealthEquity says a breach of a data repository outside of its core systems may have exposed the information of as many as 4.3 million people.

HealthEquity is a Draper, Utah-based provider of personal health and benefit account administrator. It serves as the custodian of health savings accounts and as a third-party administrator of flexible spending arrangements, health reimbursement accounts, commuter benefits accounts and other types of plans and accounts.

The company discovered the breach March 25, brought in forensics teams to investigate, and concluded June 26 that the breach had affected plan and account users’ information, according to the company’s breach notice.

HealthEquity said the breach did not affect the systems that handle its transactions and integrate streams of data.

The data exposed in the data repository breach “may include information in one or more of the following categories: first name, last name, address, telephone number, employee ID, employer, social security number, health card number, health plan member number, dependent information (for general contact information only), HealthEquity benefit type, diagnoses, prescription details, and payment card information (but not payment card number), and / or HealthEquity account type,” the company said. “Not all data categories were affected for every member.”

The company has responded by blocking all potentially compromised vendor accounts, blocking internet addresses associated with the hackers and required all affected vendors to reset their passwords.

The company will provide two years of identity monitoring services, insurance and restoration services from Equifax.

As HealthEquity sends notices to the individual account holders affected by the reach, that could lead to a new round of questions about data security and identity theft for benefits managers, plan administrators, advisors and brokers.

The company’s statement

HealthEquity told BenefitsPRO in a statement that its team is committed to educating, assisting and supporting partners, clients and account holders through the incident.

“We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor,” the company said.

It noted that it voluntarily filed a notice about the incident with the U.S. Securities and Exchange Commission, although SEC rules do not require a breach notice filing.

“We regret the inconvenience caused by the incident and are working to minimize disruption while also taking steps to help prevent this from happening in the future,” the company said.

The backdrop

UnitedHealth’s Charge health data services unit began sending notices to a “substantial proportion of people in America” in connection with a ransomware attack that hit systems used to support physician, hospital and pharmacy billing and claims.

Related: HHS office explains UnitedHealth data breach notice responsibility

A 2023 breach, the Cl0P attack on the MOVEit file transfer system, which was embedded inside account administration programs that were popular with life insurers, retirement plans and pension plans, may have affected about 50 million Americans.

Organizations reported breaches potentially affecting a total of 1.1 billion people to U.S. regulators in the first half of the year, according to the Identity Theft Resource Center.

In some cases, two or more organizations could have filed separate reports for the breach. But the high potential victim total suggests that some employers and employees may have had data exposed to system intruders several times this year.

Older attacks could be related to the newer attacks, because one strategy hackers use is to take the user names and passwords tied to individuals’ hacked accounts and see if the same credentials work for the individuals’ other accounts.