HealthEquity reveals data breach affected 4.3 million people

HealthEquity, one of the largest health savings accounts (HSA) custodians in the United States, says that the personal information of 4.3 million Americans has been compromised due to a data breach earlier this month.

In an 8-K Filing addressed to the Securities and Exchange Commission (SEC) on July 2nd, HealthEquity stated that the company became aware of “anomalous behavior”.

An unknown threat actor used a device belonging to a business partner of the company to infiltrate HealthEquity’s corporate network and access personally identifiable information (PII). Some of this information was exfiltrated from the business partner’s systems

“The investigation did not find placement of malicious code on any HealthEquity systems. There has been no interruption to the company’s systems, services, or business operations,” the HSA custodian wrote in the 8-K Filing.

In a more recent data breach notification forwarded to the Office of the Maine Attorney General, HealthEquity says the breach occurred on March 9th. However, it took the company three-and-a-half months to discover the breach after an internal data forensics investigation was launched.

“We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” the notice says.

The data that may have been stolen includes full names, home addresses, telephone numbers, social security numbers, payment card information, and employer and employee ID numbers.

As soon as the data breach came to light, HealthEquity disabled all compromised vendor accounts, terminated all active sessions, blocked all suspicious IP addresses, and implemented a global password reset. Additionally, security and monitoring efforts were scaled up.

Victims will receive a two year credit monitoring and identity theft protection service. HealthEquity recommends affected individuals to carefully review their financial statements and be aware of identity fraud.

As of yet, nobody has claimed responsibility for the data breach. The stolen data hasn’t surfaced on the dark web.