HQ/EMEAFind out how we can help your business
The healthcare financial technology company HealthEquity has published a data breach notification after threat actors allegedly hijacked one of its partner’s accounts. The account compromise allowed the attackers to acquire initial access to the company’s systems and possibly a database that stores sensitive health information.
According to reports, the company discovered the breach after spotting strange behaviour on one of its partners’ devices. Identifying the unauthorised access prompted the firm to initiate an initial investigation.
However, the investigation revealed that the hackers hijacked an account to obtain illegal access to HealthEquity’s networks and exfiltrated critical health data.
The company immediately filed a report to the SEC, explaining that the unauthorised intrusion had compromised the partner’s user account and exploited it to access information.
The filing stated that the accessed data includes personally identifiable information, which commonly holds protected health information. Investigations also determined that some material was later transferred off the partner’s networks.
The HealthEquity data breach could cause significant damage since healthcare institutions primarily employ its services.
HealthEquity specialises in health savings account (HSA) services and other consumer-directed benefit solutions, such as flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.
It is also one of the significant HSA custodians in the United States, managing millions of HSA, FSA, HRA, and other benefit accounts while collaborating with various businesses and health plans.
As of now, the exact impact and number of people affected by the data breach incident have not been released, but HealthEquity has started to roll out notification letters to potentially affected parties.
The company has also offered the affected individuals comprehensive credit monitoring and identity protection services to reduce the risk posed by the data breach.
HealthEquity also insisted that its internal investigation found no indication that the hackers deployed malware on its systems, and there were no technical issues after revealing that all of its corporate operations and services are fully operational.
The company is assessing the incident’s impact and the cost of its response activities but has stated that it does not expect the incident to have a substantial effect on its business or financial performance.
