Pierluigi Paganini July 04, 2024

Healthcare firm HealthEquity disclosed a data breach caused by a partner’s compromised account that exposed protected health information.

Healthcare fintech firm HealthEquity disclosed a data breach after a partner’s compromised account was used to access its systems. The intruders have stolen protected health information from the company systems. The company discovered an anomalous behavior from the partner’s personal device and immediately launched an investigation that led to the discovery of the security breach.

“The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner’s systems.” reads the FORM 8-K filed with SEC. “The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm. The investigation did not find placement of malicious code on any Company systems. There has been no interruption to the Company’s systems, services, or business operations.”

HealthEquity is a leading financial technology company that specializes in administering health savings accounts (HSAs) and other consumer-directed benefits. Some key facts about HealthEquity:

As of July 2022, HealthEquity managed 7.5 million HSA accounts with $20.5 billion in assets, plus an additional 7 million other consumer-directed benefit accounts for a total of 14.5 million accounts.

The company is notifying its partners and clients, as well as identifying and notifying impacted individual members.

HealthEquity will offer complimentary credit monitoring and identity restoration services. The investigation is still ongoing and the healthcare fintech firm has yet to determine the fill impact of the incident.

“The Company does not currently believe the incident will have a material adverse effect on its business, operations, or financial results.” continues the Form 8-K.

“The Company believes it holds adequate cybersecurity insurance for this incident and will also be seeking recourse from the Partner.”

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, healthcare)