4TH JUL 2024
Healthcare fintech firm HealthEquity has announced a data breach resulting from a compromised partner account, which allowed unauthorized access to the company's systems and led to the theft of protected health information.
The HealthEquity breach was detected after observing unusual activity from a partner's device, prompting an immediate investigation. The investigation revealed that hackers had compromised the partner's account, leveraging it to gain unauthorized access and exfiltrate sensitive health data.
According to the company's SEC filing:
Furthermore, the investigation indicated that some of this information was subsequently transferred off the partner's systems.
HealthEquity, a major provider of health savings accounts (HSAs) and other consumer-directed benefits solutions such as flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans, is one of the largest HSA custodians in the United States. The firm manages millions of HSA, FSA, HRA, and other benefit accounts, collaborating with numerous employers and health plans.
While the exact impact and number of individuals affected by the security incident remain undisclosed, HealthEquity has begun notifying those impacted. The company is also offering complimentary credit monitoring and identity restoration services to mitigate potential risks.
HealthEquity's internal investigation has not found evidence of malware on its systems, and no technical interruptions have occurred. All business operations and services continue to function normally.
The company is currently assessing the incident's impact and response costs but does not anticipate any material effect on its business or financial results.
