HealthEquity Inc., the largest health savings account administrators in the U.S., has encountered a cybersecurity setback, as detailed in its recent U.S. Securities and Exchange Commission (SEC) filing. In its report to the SEC, the company said that even though Personally Identifiable Information (PII) was compromised, the breach did not affect the company's operations or finances.

Details of HealthEquity SEC Filing

According to the health management firm, an unnamed business partner’s account was compromised by bad actors to access and exfiltrate PII and protected health information. “Earlier this year, HealthEquity, Inc. became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner. The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue,” the company said in a Form 8-K report filed on July 2, 2024. [caption id="attachment_80168" align="alignnone" width="1895"] Source: SEC.gov[/caption] “The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems,” the report said. Though the SEC filing did not disclose further details like the month of the cyberattack or provide a description of the threat actor, HealthEquity may be referring to a cybersecurity incident involving the company that occurred on May 14. In a media release shared by the Kentucky Personnel Cabinet on June 21, Governor Andy Beshear said, “On May 14, the Kentucky Personnel Cabinet was informed of unauthorized updates to members’ HealthEquity accounts. HealthEquity is a third-party vendor that administers Flexible Spending Accounts (FSA) and Health Reimbursement Arrangements (HRA) on behalf of the Kentucky Employees’ Health Plan (KEHP). “After investigating this incident, HealthEquity determined that this potential fraud event impacted 449 KEHP member accounts. It is presumed that the bad actors who accessed the accounts were aiming to receive money from claim reimbursements. “Immediately upon becoming aware of this potential fraud event, HealthEquity locked all affected member accounts, removed any unauthorized profile changes and suspended the ability to edit account login information. HealthEquity also implemented additional measures to ensure further security for members. Communications regarding the security incident were distributed to all affected members. HealthEquity is currently investigating whether any claim reimbursements were fraudulently submitted or redirected. HealthEquity has committed to restoring any member accounts to the prior balance if they conclude that any HRA or FSA member funds were impacted,” reported the Governor’s release.

Data Breach Caused No Interruption to Company’s Systems: HealthEquity

In the SEC Filing, HealthEquity said the data breach incident did not impact the company. “The investigation did not find placement of malicious code on any company systems. There has been no interruption to the Company’s systems, services, or business operations,” said the report. HealthEquity said it is in the process of notifying its partners and clients as well as identifying and notifying individual members whose information may have been involved. “The Company expects to offer complimentary credit monitoring and identity restoration services. The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results. The Company is continuing to evaluate the impact of this incident, including remediation expenses and other potential liabilities. The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner,” HealthEquity concluded in its SEC filing.