HealthEquity

HSA provider HealthEquity has determined that a cybersecurity incident disclosed earlier this month has compromised the information of 4,300,000 people.

HealthEquity, one of the largest HSA custodians in the U.S., specializes in providing health savings accounts (HSAs), flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.

In a Form 8-K filing submitted on July 2, 2024, the company disclosed that threat actors stole members' sensitive health data using a partner's compromised credentials.

Wiz

An investigation determined that the breach occurred on March 9, 2024, but was only verified by the firm on June 26, following an internal investigation.

"We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems," reads the data breach notice to be distributed to impacted individuals on August 9, 2024.

"On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved."

The data that has been exposed as a result of this breach varies per individual and includes:

  • Full names
  • Home address
  • Telephone number
  • Employer and employee ID
  • Social Security Number (SSN)
  • General dependent information
  • Payment card information (not numbers)

The breached data repository, which HealthEquity clarified is outside its core systems, has now been secured by terminating unauthorized sessions and blocking IP addresses associated with the intruders.

Also, the firm implemented a global password reset for the vendor whose account was breached and later used to access the remote database.

Recipients of the data breach notifications will also receive a two-year credit monitoring and identity theft protection service through Equifax, with enrollment instructions in the letters.

Impacted individuals are advised to remain vigilant, review their account statements to identify suspicious activity, and log into their HealthEquity account to confirm that their personal profile and contact information are correct.

Currently, no threat actors have assumed responsibility for the attack at HealthEquity, and the stolen data has not been leaked online.

tines

Break down IAM silos like Bitpanda, KnowBe4, and PathAI

Broken IAM isn't just an IT problem - the impact ripples across your whole business.

This practical guide covers why traditional IAM practices fail to keep up with modern demands, examples of what "good" IAM looks like, and a simple checklist for building a scalable strategy.

Related Articles:

Coupang to split $1.17 billion among 33.7 million data breach victims

Askul confirms theft of 740k customer records in ransomware attack

700Credit data breach impacts 5.8 million vehicle dealership customers

Coupang data breach traced to ex-employee who retained system access

Marquis data breach impacts over 74 US banks, credit unions