HealthEquity, a prominent provider of healthcare benefits administration services, has disclosed a major data breach impacting 4.3 million individuals.
HealthEquity, headquartered in Utah, recently uncovered unauthorized access to a data repository outside its core network infrastructure. The repository contained confidential customer data, including names, addresses, phone numbers, Social Security numbers, employer information, dependent details, and payment card information.
The company's data breach notification, filed with the Attorney General of Maine, revealed that the compromised data varied in scope for each affected individual. However, some of the exposed information encompassed sensitive details related to diagnoses and prescriptions, heightening concerns over potential misuse and identity theft.
HealthEquity's investigation into the incident has shown the root cause of the data breach. According to the company's findings, a malicious actor gained access to the data repository by exploiting a compromised user account belonging to one of HealthEquity's vendors. The attacker obtained the vendor's stolen password, enabling them to infiltrate the system and exfiltrate the sensitive data.
While HealthEquity has refrained from naming the third-party vendor involved, the company has acknowledged that the compromised account had access to some of its SharePoint data.
In response to the data breach, HealthEquity has taken proactive measures to mitigate the potential impact on affected individuals. The company has published a dedicated data breach notification on its website, providing details on the incident and offering guidance on what individuals can do to safeguard their personal information.
TechCrunch further investigated HealthEquity's website notice and discovered the company had included hidden "noindex" code on the page, instructing search engines to ignore the web page. The code blocked affected individuals from easily locating the data breach notification through search results.
When questioned about the inclusion of this code, HealthEquity's spokesperson declined to comment.
The HealthEquity data breach indicates the need for cybersecurity measures and data protection practices within the healthcare industry. With sensitive personal and medical information at stake, even a single breach can have consequences for individuals, potentially exposing them to identity theft, financial fraud, and compromised medical care.
Moreover, this incident proves the need for organizations to exercise due diligence in vetting and monitoring their third-party vendors and suppliers. Cybercriminals often exploit vulnerabilities in the supply chain as an entry point to access sensitive data, making it imperative for companies to implement stringent security protocols and access controls across all external partnerships.
Related: HIPAA Compliant Email: The Definitive Guide.
HealthEquity, Inc. is an American financial technology and business services company designated as a non-bank health savings trustee by the IRS. This designation allows HealthEquity to be the custodian of health savings accounts regardless of which financial institution the funds are deposited with.
Microsoft SharePoint is a widely used platform that enables organizations to create internal intranets and collaborate on documents and data.