HealthEquity revealed the details about data breach earlier this year led to the compromise of personal and financial information on millions of customers.
A filing with the Maine Office of Attorney General (OAG) revealed the incident occurred on March 9 but was not confirmed by the company until June 26. Nearly 4.3 million customers are affected by the breach, with notification letters due to be sent out on August 9. The firm already notified the SEC about the incident, back on July 2.
As a health savings account (HSA) specialist, HealthEquity has access to a range of PHI and PII. Although not all data types were compromised for each affected customer, compromised information included: first name, last name, address, telephone number, employee ID, employer, social security number, dependent contact information and payment card information.
As per the notification, after receiving an alert, on March 25, 2024, HealthEquity became aware of a systems anomaly requiring extensive technical investigation and ultimately resulting in data forensics until June 10, 2024. During its investigation, HealthEquity discovered that the breach stemmed from the compromise of “a vendor’s user accounts that had access to an online data storage location.
As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor. Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture.
