HealthEquity says data breach impacted over 4.3 million patients

U.S. healthcare fintech company HealthEquity said the data security incident it suffered earlier this year compromised the sensitive personal information of approximately 4.3 million individuals.

 

In a filing with the U.S. Securities and Exchange Commission earlier this month, HealthEquity said it detected “anomalous behaviour by a personal use device belonging to a business partner.” The company said it launched an investigation, with assistance from external cyber security experts, to determine the nature and scope of the incident.

 

“The investigation concluded that the Partner’s user account had been compromised by an unauthorised third party, who used that account to access information,” reads the SEC filing. The compromised data included some personally identifiable information and protected health information.

 

“The investigation further concluded that some information was subsequently transferred off the Partner’s systems. The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm,” HealthEquity explained.

 

The health tech company added that the threat actors who infiltrated the network did not place any malware and there has been no disruption to the company’s systems, services, or business operations.

 

In a recent filing with the Office of Maine Attorney General, HealthEquity said that the data security incident compromised the sensitive personal information of about 4.3 million individuals. 

 

The compromised data included patients’ full names, addresses, phone numbers, employee IDs, employer details, social security numbers, dependent information, and payment card information (but not payment card number or HealthEquity debit card information).

 

While the company found no evidence of the compromised information being misused, it advised all affected individuals to regularly monitor their credit reports, account and benefit statements and report any suspicious activity to law enforcement authorities, including the police and the state attorney general.

 

It has also offered complimentary identity protection and credit monitoring services through Equifax to all the affected individuals.