
HealthEquity, a leading health savings account (HSA) provider in the U.S., disclosed a cybersecurity incident that compromised the information of 4.3 million people. This breach was detailed in a Form 8-K filing on July 2, 2024, revealing that attackers stole sensitive health data using compromised credentials from a partner.
The breach, which occurred on March 9, 2024, was confirmed by HealthEquity on June 26, following an extensive internal investigation. The stolen data, stored in an unstructured repository outside of HealthEquity’s core systems, includes full names, home addresses, telephone numbers, employer and employee IDs, Social Security Numbers, general dependent information, and payment card details.
HealthEquity has since secured the breached repository by terminating unauthorized sessions and blocking related IP addresses. Additionally, a global password reset was implemented for the affected vendor’s account. Impacted individuals will receive notifications and a two-year credit monitoring and identity theft protection service from Equifax.
The company advises affected individuals to monitor their accounts for suspicious activity and verify their personal information on HealthEquity’s platform. While no threat actors have claimed responsibility for the breach, and the stolen data has not been leaked online, HealthEquity emphasizes vigilance in response to this incident.