HQ/EMEAFind out how we can help your business
The US-based health savings account (HSA) provider HealthEquity disclosed that a cybersecurity breach in its system compromised the information of more than four million customers.
HealthEquity is one of the largest HSA custodians in the US, offering health reimbursement arrangements (HRAs), health savings accounts (HSAs), 401(k) retirement plans, and flexible spending accounts (FSAs).
In a Form 8-K filing earlier this month, the company revealed that the perpetrators of the cybersecurity breach acquired members’ sensitive health data using one of their partners’ hacked credentials.
Moreover, the initial investigation identified that the infiltration happened in March, but the company confirmed it only after finishing an internal analysis in June.
The data breach incident on HealthEquity has compromised the customers’ health information and PII.
According to the notice disseminated by HealthEquity, the unauthorised access and data exposure of protected health information and personally identifiable information have affected 4.3 million individuals.
Moreover, the investigation also validated last month that some personal information was compromised during the breach. The confirmed information exposed due to the incident varies per individual, including full names, home addresses, telephone numbers, employer and employee IDs, Social Security Numbers (SSN), general dependent information, and payment card details.
However, the company claimed that the affected payment card details did not include its numbers, implying that the exposed information could only include the card companies’ names.
On the other hand, HealthEquity said it has now secured the hacked data repository despite not being part of its core systems. The company was able to secure it by terminating illegal sessions and banning IP addresses connected with the attackers.
The company also initiated a global password reset for the vendor whose account was compromised, which was then utilised to access the external database. Furthermore, the data breach notices will include a 24-month credit monitoring and identity theft protection service from a third-party provider, with enrollment instructions in the letters.
Potentially impacted individuals should be vigilant and monitor their account statements for any unknown activity. Users should also log onto their HealthEquity account to confirm that their personal profile and contact details are correct.
As of now, no threat actors have claimed responsibility for the HealthEquity attack, and the stolen data has not been exposed to the public. Still, recipients of the notification letters should remain cautious with their digital presence as the attack’s perpetrators could strike at any moment.
