HealthEquity says data breach is an ‘isolated incident’


On Tuesday, health tech services provider HealthEquity disclosed in a filing with federal regulators that it had suffered a data breach in which hackers stole “protected health information” of some customers.

In an 8-K filing with the SEC, the company said it detected “unusual behavior by a personal-use device of a business partner”, and concluded that the partner’s account had been compromised by someone who then used the account to access members’ information.

On Wednesday, HealthEquity shared more details about the incident with TechCrunch. HealthEquity spokesperson Amy Cerny said in an email that it was “an isolated incident” that is not connected to other recent breaches, such as the one at Change Healthcare, owned by healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty said in a House hearing that the breach affected “probably a third of all Americans.”

HealthEquity discovered the breach on March 25, when it “took immediate action, remediated the issue, and began extensive data forensics, which was completed on June 10.” The company “brought together a team of external and internal experts to investigate and prepare for a response.” The investigation determined that the breach was caused by a compromised third-party vendor account having access to “some of HealthEquity’s SharePoint data,” according to Cerny.


Do you have more information about this HealthEquity breach? From a non-work device, you can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382, or via Telegram, Keybase and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.

SharePoint is a set of Microsoft tools that allows companies to create websites, as well as store and share internal information – essentially an intranet.

Cerny also said that “transactional systems, where the integration takes place, have not been impacted” and that the company is notifying partners, customers, and members, and is working with law enforcement as well as experts to prevent future incidents.

TechCrunch asked Cerny what personally identifiable and “protected health” information was stolen in the breach, how many people were affected, and which partners were involved. Cerny declined to answer all of these questions.

Earlier this year, HealthEquity reported that the company and its subsidiaries “manage HSAs and other CDBs for our more than 15 million accounts in partnership with employers, benefits advisors, and health and retirement plan providers.”


Please enter your comment!
Please enter your name here

Share post:




More like this

Here are all the devices compatible with iOS 18

Apple's WWDC 2024 was full of announcements about iOS...

Will Smith broke Twitch’s biggest streaming record, the real reason why

Every summer, Spanish Twitch streamer Ibai Llanos hosts a...