PII of 4.2 Million Individuals Affected by HealthEquity Breach

by | Aug 4, 2024

In early July, a data breach report was submitted by HealthEquity, a financial technology and business services company based in Draper, UT. HealthEquity mentioned in its 8-K filing with the Securities and Exchange Commission (SEC) that suspicious activity was detected on a device belonging to a business partner. The investigation’s preliminary results indicated that the device had been accessed without authorization, compromising member information. HealthEquity has informed the Maine Attorney General about the incident, confirming that the personal identifying information (PII) of 4,300,000 persons, which include 13,480 Maine residents, was exposed and potentially stolen.

HealthEquity, which owns Further Operations LLC and WageWorks Inc., offers health savings account (HSA) services, health reimbursement arrangements (HRAs), and other consumer benefits solutions. The company manages plenty of HRAs, HSAs, and other benefit accounts. As per the notice, HealthEquity knew about the system anomaly on March 25, 2024, and launched a technical and forensic investigation that ended on June 10, 2024. On June 26, 2024, the service provider mentioned that files including PII were accessed with no authorization.

The breach involved vendor user accounts with access to an online data storage system (SharePoint), but didn’t impact HealthEquity’s core systems. Upon discovery, all possibly affected vendor accounts and active sessions were deactivated. IP addresses related to the unauthorized activity were blocked. A global password recovery was likewise done for the impacted vendor. HealthEquity failed to make known how the unauthorized access to the vendor’s accounts happened.

HealthEquity revealed that the breached data mostly involved sign-up data for the accounts and services that the firm manages. The breached information differed from one person to another and possibly included names along with at least one of these information: employer, employee ID, address, phone number, Social Security number, standard contact details of dependents, and payment card data. No HealthEquity debit card / payment card number data were compromised.

HealthEquity stated it is going to begin sending personal notifications on August 9, 2024, and is offering free credit identity monitoring, insurance, and restoration services for two years. HealthEquity has improved its security and tracking tools, internal controls, and security protection. Employees were also provided extra HIPAA training.

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

COMPREHENSIVE HIPAA TRAINING

Please enable JavaScript in your browser to complete this form.

Ryan Coyne

Ryan Coyne is a results-driven leader in the healthcare compliance industry, specializing in regulatory compliance, compliance training, and assisting healthcare organizations and business associates in achieving and maintaining compliance. With a deep knowledge of healthcare regulations and a keen understanding of the challenges faced by the industry, Ryan has developed a reputation as a trusted advisor and advocate for ethical and compliant practices in healthcare. Ryan has successfully advised and guided numerous healthcare organizations, business associates, and healthcare professionals on achieving and maintaining compliance with regulatory training requirements. Ryan's professional focus is using his in-depth expertise and leading a world class team of subject matter experts at ComplianceJunction in regulatory compliance to help organisations navigate the complex landscape of ensuring staff adhere to healthcare regulations. You can connect with Ryan via LinkedIn and follow on Twitter

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy