In early July, a data breach report was submitted by HealthEquity, a financial technology and business services company based in Draper, UT. HealthEquity mentioned in its 8-K filing with the Securities and Exchange Commission (SEC) that suspicious activity was detected on a device belonging to a business partner. The investigation’s preliminary results indicated that the device had been accessed without authorization, compromising member information. HealthEquity has informed the Maine Attorney General about the incident, confirming that the personal identifying information (PII) of 4,300,000 persons, which include 13,480 Maine residents, was exposed and potentially stolen.
HealthEquity, which owns Further Operations LLC and WageWorks Inc., offers health savings account (HSA) services, health reimbursement arrangements (HRAs), and other consumer benefits solutions. The company manages plenty of HRAs, HSAs, and other benefit accounts. As per the notice, HealthEquity knew about the system anomaly on March 25, 2024, and launched a technical and forensic investigation that ended on June 10, 2024. On June 26, 2024, the service provider mentioned that files including PII were accessed with no authorization.
The breach involved vendor user accounts with access to an online data storage system (SharePoint), but didn’t impact HealthEquity’s core systems. Upon discovery, all possibly affected vendor accounts and active sessions were deactivated. IP addresses related to the unauthorized activity were blocked. A global password recovery was likewise done for the impacted vendor. HealthEquity failed to make known how the unauthorized access to the vendor’s accounts happened.
HealthEquity revealed that the breached data mostly involved sign-up data for the accounts and services that the firm manages. The breached information differed from one person to another and possibly included names along with at least one of these information: employer, employee ID, address, phone number, Social Security number, standard contact details of dependents, and payment card data. No HealthEquity debit card / payment card number data were compromised.
HealthEquity stated it is going to begin sending personal notifications on August 9, 2024, and is offering free credit identity monitoring, insurance, and restoration services for two years. HealthEquity has improved its security and tracking tools, internal controls, and security protection. Employees were also provided extra HIPAA training.