Healthcare fintech agency HealthEquity is warning that it suffered a data breach after a associate’s account was compromised and used to entry the Firm’s programs to steal protected well being info.
The Firm says it detected the compromise after detecting ‘anomalous habits’ from a associate’s private gadget and launched an investigation into the incident.
The investigation revealed that the associate had been compromised by hackers who leveraged the hijacked account to achieve unauthorized entry to HealthEquity’s programs and, later, exfiltrate delicate well being information.
“The investigation concluded that the Companion’s person account had been compromised by an unauthorized third social gathering, who used that account to entry info,” reads the SEC submitting.
“The accessed info included some personally identifiable info, which in some instances is taken into account protected well being info, pertaining to sure of our members.”
“The investigation additional concluded that some info was subsequently transferred off the Companion’s programs.”
HealthEquity makes a speciality of offering well being financial savings account (HSA) companies and different consumer-directed advantages options, together with versatile spending accounts (FSAs), well being reimbursement preparations (HRAs), and 401(ok) retirement plans.
It is likely one of the largest HSA custodians in the USA, managing hundreds of thousands of HSA, FSA, HRA, and different profit accounts, and dealing with quite a few employers and well being plans.
The precise impression and variety of folks affected by the security incident have not been disclosed, although HealthEquity says it has begun notifying impacted people.
The Firm additionally promised to supply complimentary credit score monitoring and identification restoration companies to mitigate the chance for uncovered folks.
HealthEquity’s inside investigation has not produced proof that malware was dropped on its programs, and there have been no technical interruptions. All enterprise operations and companies stay totally obtainable.
The Firm is at the moment evaluating the incident’s impression and the price of its response efforts however famous that it doesn’t imagine the incident can have a fabric impact on its enterprise or monetary outcomes.
