Draper, Utah-based HealthEquity, a prominent financial technology and business services company, has confirmed a significant data breach affecting millions of individuals. The breach, discovered in March and confirmed in June 2024, involved unauthorized access to sensitive personal information (PII) of 4.3 million people, including 13,480 Maine residents.

How the HealthEquity Data Breach Occurred

According to an SEC filing, HealthEquity detected anomalous activity on a personal device belonging to a business partner. Subsequent investigation revealed that the partner's user account had been compromised, allowing unauthorized access to information, including personally identifiable information (PII) and protected health information (PHI) for some members.

"The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations," HealthEquity said at the time in its 8-K filing with the U.S. Securities and Exchange Commission.

The investigation concluded that data was exfiltrated from the partner's systems.

What Information Was Exposed?

The compromised data primarily consisted of account signup information and details related to benefits administered by HealthEquity. While the specific information varied for each individual, it could include:

• Name
• Employee ID
• Employer
• Address
• Telephone number
• Social Security number
• Dependent contact information

It's crucial to note that payment card numbers and HealthEquity debit card information were not affected by the breach.

HealthEquity Breach Impact on Individuals

The exposure of personal information can have severe consequences for affected individuals. This includes an increased risk of identity theft, financial fraud, and other forms of cybercrime.

HealthEquity has acknowledged the gravity of the situation and has offered two years of complimentary credit identity monitoring, insurance, and restoration services to all impacted individuals.

Protecting Yourself After a Data Breach

While HealthEquity is providing support, it's essential for affected individuals to take proactive steps to protect themselves. These measures include:

• Closely monitoring credit reports: Check for any unauthorized activity and dispute errors promptly.
• Being cautious of suspicious emails and calls: Avoid clicking on links or providing personal information in response to unsolicited communications.
• Consider a credit freeze: This prevents new credit accounts from being opened without your explicit authorization.

Potential Causes of the Breach

While HealthEquity has confirmed that the breach involved a vendor's user accounts with access to a SharePoint data storage location, the exact cause of the compromise remains under investigation. Possible factors contributing to the breach could include:

• Weak password security: Inadequate password practices by vendor employees could have facilitated unauthorized access.
• Phishing attacks: Malicious emails designed to trick users into revealing login credentials may have been successful.
• Insider threats: A disgruntled or compromised employee with access to sensitive information could be responsible.
• Third-party vulnerabilities: Weaknesses in the vendor's security infrastructure or software could have been exploited.

HealthEquity's Response and Next Steps

HealthEquity has taken steps to strengthen its security environment and has assured investors that the incident is not expected to have a material adverse effect on its business. The company is in the process of notifying affected individuals and partners, and is evaluating potential remediation expenses and liabilities.

HealthEquity Inc., the largest health savings account administrators in the U.S., has encountered a cybersecurity setback, as detailed in its recent U.S. Securities and Exchange Commission (SEC) filing. In its report to the SEC, the company said that even though Personally Identifiable Information (PII) was compromised, the breach did not affect the company's operations or finances.

Details of HealthEquity SEC Filing

According to the health management firm, an unnamed business partner’s account was compromised by bad actors to access and exfiltrate PII and protected health information. “Earlier this year, HealthEquity, Inc. became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner. The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue,” the company said in a Form 8-K report filed on July 2, 2024. [caption id="attachment_80168" align="alignnone" width="1895"] Source: SEC.gov[/caption] “The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems,” the report said. Though the SEC filing did not disclose further details like the month of the cyberattack or provide a description of the threat actor, HealthEquity may be referring to a cybersecurity incident involving the company that occurred on May 14. In a media release shared by the Kentucky Personnel Cabinet on June 21, Governor Andy Beshear said, “On May 14, the Kentucky Personnel Cabinet was informed of unauthorized updates to members’ HealthEquity accounts. HealthEquity is a third-party vendor that administers Flexible Spending Accounts (FSA) and Health Reimbursement Arrangements (HRA) on behalf of the Kentucky Employees’ Health Plan (KEHP). “After investigating this incident, HealthEquity determined that this potential fraud event impacted 449 KEHP member accounts. It is presumed that the bad actors who accessed the accounts were aiming to receive money from claim reimbursements. “Immediately upon becoming aware of this potential fraud event, HealthEquity locked all affected member accounts, removed any unauthorized profile changes and suspended the ability to edit account login information. HealthEquity also implemented additional measures to ensure further security for members. Communications regarding the security incident were distributed to all affected members. HealthEquity is currently investigating whether any claim reimbursements were fraudulently submitted or redirected. HealthEquity has committed to restoring any member accounts to the prior balance if they conclude that any HRA or FSA member funds were impacted,” reported the Governor’s release.

Data Breach Caused No Interruption to Company’s Systems: HealthEquity

In the SEC Filing, HealthEquity said the data breach incident did not impact the company. “The investigation did not find placement of malicious code on any company systems. There has been no interruption to the Company’s systems, services, or business operations,” said the report. HealthEquity said it is in the process of notifying its partners and clients as well as identifying and notifying individual members whose information may have been involved. “The Company expects to offer complimentary credit monitoring and identity restoration services. The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results. The Company is continuing to evaluate the impact of this incident, including remediation expenses and other potential liabilities. The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner,” HealthEquity concluded in its SEC filing.