HealthEquity Describes Data Breach as an 'Isolated Incident'

HealthEquity, a provider of health tech services, revealed in a federal regulatory filing on Tuesday that it had experienced a data breach compromising the protected health information of certain customers. This incident was discovered through unusual activity on a device used by a business partner, which led to unauthorized access to member information.

In an 8-K filing with the SEC, HealthEquity detailed that the breach involved a compromised account of a business partner. This account was used to access members' data. HealthEquity spokesperson Amy Cerny emphasized that this was an isolated incident, unrelated to other recent breaches such as the one involving Change Healthcare, a subsidiary of UnitedHealth. Earlier this year, UnitedHealth CEO Andrew Witty mentioned in a House hearing that the Change Healthcare breach affected potentially one-third of Americans.

HealthEquity identified the breach on March 25 and immediately took action to resolve the issue. An extensive forensic analysis concluded on June 10. The company assembled a team of both internal and external experts to investigate and respond to the breach. It was found that the breach occurred due to a compromised third-party vendor account, which had access to some of HealthEquity’s SharePoint data. SharePoint is a Microsoft toolset used for creating websites and sharing internal information.

Cerny confirmed that transactional systems where integrations occur were not impacted. HealthEquity is currently notifying partners, clients, and members about the breach. The company is also working with law enforcement and security experts to prevent future incidents.

We sought further details from Cerny regarding the specific personal and protected health information compromised, the number of affected individuals, and the involved partner, but Cerny declined to provide additional information.

Earlier this year, HealthEquity reported that it and its subsidiaries manage HSAs and other CDBs for over 15 million accounts in collaboration with employers, benefits advisers, and health and retirement plan providers.