HealthEquity is notifying 4.3 million individuals of a third-party breach that leaked their personal (PII) and protected health information (PHI) after an unauthorized actor accessed a vendor’s data repository.
With more than 15 million employee benefits accounts, HealthEquity is a third-party administrator (TPA) of employee benefits such as consumer tax-advantaged health savings accounts (HSAs), health reimbursement arrangements (HRAs), and Consolidated Omnibus Budget Reconciliation Act (COBRA) health plans.
On March 25, 2024, the Draper, Utah-based healthcare benefits administrator received an alert of a “system anomaly requiring extensive technical investigation.” HealthEquity launched an investigation and determined on June 26, 2024, that the incident exposed sensitive information.
HealthEquity third-party breach leaked PII and PHI of 4.3m people
A statement published on HealthEquity’s website confirmed that the third-party breach leaked customers’ personal and protected health information.
“Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” the healthcare provider said.
While the impacted data varied by individual, it included the victim’s name, address, phone number, social security number, employee ID, employer, health card number, health plan member number, dependent information, benefit type, diagnoses, prescription details, and payment card information excluding payment card number, and/or account type.
According to a regulatory data breach notification filed with the Office of the Maine Attorney General, the HealthEquity data breach impacted 4.3 million people who would start receiving notification letters on August 9.
HealthEquity also notified the U.S. Securities and Exchange Commission (SEC) that some compromised information was “transferred off the partner’s systems.”
However, no “malicious code” was installed on the vendor’s systems, and the company’s systems and business operations suffered no disruptions, thus ruling out a ransomware attack.
Although HealthEquity has no evidence of attempted misuse of compromised PII and PHI, it offered two years of free credit identity monitoring, insurance, and restoration services through Equifax.
“We are not aware of any actual or attempted misuse of information because of this incident to date,” said HealthEquity.
The healthcare benefits administrator also advised the third-party breach victims to monitor their accounts for suspicious activity.
“Healthcare entities that use SSNs for customer attribution are forced to include this information in operational data stores and data bases resulting in a more attractive attack surface for cyber criminals (SSNs are easier to monetize for criminals) and this means higher impact for the health digital consumers affected by this incident,” warned Jim Routh, Chief Trust Officer at Saviynt.
Erich Kron, Security Awareness Advocate at KnowBe4, warned that exposing medical information could be embarrassing and enable successful phishing attacks.
“By referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims,” noted Kron
HealthEquity responds to a third-party breach
The health benefits administrator said it responded by initiating a global password reset, disabling all the impacted vendor’s accounts, terminating all active sessions, blocking all IP addresses associated with the threat actor’s activity, and enhancing its security and monitoring efforts and internal controls.
HealthEquity also formed a special team of internal and external cybersecurity experts to investigate, respond to, and resolve the issue.
Meanwhile, HealthEquity has disclosed that the data breach stemmed from compromised third-party vendor’s user accounts that had access to some of HealthEquity’s systems. However, the health benefits administrator has not revealed the breached vendor or the threat actor’s identity.
Erfan Shadabi, a cybersecurity expert at comforte AG, noted that the third-party breach “highlighted the urgent need for rigorous vetting and continuous monitoring of all third-party relationships.”
“The increasing frequency of third-party data breaches necessitates a proactive approach to security. Companies must adopt comprehensive vetting processes, regular audits, and robust contractual agreements to enforce strict security standards,” advised Shadabi.
The March 2024 third-party breach marks the second cybersecurity incident that HealthEquity has reported this year.
On May 14, 2024, HealthEquity notified the Kentucky Governor’s office of fraudulent account updates that affected 449 Kentucky Employees’ Health Plan (KEHP) members.
While the Kentucky health plan data breach did not compromise members’ PII or PHI, the threat actors intended to receive fraudulent claim reimbursements via the victims’ accounts.