Healthcare fintech firm HealthEquity has disclosed a data breach resulting from a compromised partner account that was used to infiltrate the company's systems and steal protected health information (PHI).
Detection and Investigation
The breach was detected after HealthEquity identified unusual activity from a partner's personal device, prompting an immediate investigation. This investigation revealed that hackers had compromised the partner's account, leveraging it to gain unauthorised access to HealthEquity's systems and subsequently exfiltrate sensitive health data.
According to the company's SEC filing, "The investigation concluded that the partner's user account had been compromised by an unauthorised third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members." The investigation also found that some of this information was transferred off the partner's systems.
HealthEquity is a prominent provider of health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans. As one of the largest HSA custodians in the United States, HealthEquity manages millions of benefit accounts in collaboration with numerous employers and health plans.
Impact and Response
While the exact number of affected individuals has not been disclosed, HealthEquity has begun notifying those impacted by the security incident. The company is offering complimentary credit monitoring and identity restoration services to mitigate risks for those whose information was exposed.
The internal investigation has not found any evidence of malware on HealthEquity’s systems, and there have been no disruptions to business operations. All services remain fully available.
Future Precautions
HealthEquity is currently assessing the impact of the incident and the costs associated with its response efforts. However, the company has stated that it does not expect the breach to have a material effect on its business or financial results.
This incident underscores the importance of robust cyber security measures, particularly in the context of third-party relationships. Organisations must ensure that their partners adhere to stringent security standards to prevent unauthorised access and protect sensitive information.
