HealthEquity was also the victim of a data breach in June

Nov 16, 2018 18:56 GMT  ·  By

HealthEquity, an IRS non-bank health savings trustee who is handling more than 3.4 million health savings accounts, was breached when an intruder accessed the email accounts of two HealthEquity team members, exposing protected health information (PHI)/personally identifiable information (PII) of 20,906 subscribers.

According to HealthEquity's data breach notification, "The unauthorized access occurred, in the case of one account, on October 5, and in the case of the other, on different occasions between September 4, 2018, and October 3, 2018. "

The HealthEquity organization manages 401(k) accounts, flexible spending accounts, health reimbursement, and a number of other services for approximately 40,000 companies.

HealthEquity was also the victim of a data breach during June 2018 when a phishing attack exposed the personal healthcare information (PHI) of an estimated number of 23,000 subscribers.

The data exposed by the two compromised email accounts during the security breach includes a combination of employee names, employer names, associated plans, account types (HSA, HRA, FSA, LPFSA, DCRA), and health plan enrollment data, in varying degrees.

Number of individuals and exposed data
Number of individuals and exposed data

HealthEquity provides all affected subscribers with 5 years of ID Experts’ identity theft protection and credit monitoring

As detailed in the sample notices sent to law enforcement agencies and the U.S. Department of Health and Human Services Office for Civil Rights, HealthEquity’s information security team was the one that initially discovered the breach on October 5.

Subsequently, security measures were put in place to prevent further access from unauthorized third parties to the affected email accounts and started an analysis to identify the personal information exposed during the breach.

The data breach notice also says that "Although we have no evidence that the unauthorized individual viewed any of the emails in the email accounts, HealthEquity cannot conclusively rule out this possibility."

HealthEquity was also helped by a forensics firm which found out that the intruders access only the two email accounts mentioned in the security breach notice and that all other HealthEquity computing systems were unaffected.

"HealthEquity is providing affected individuals with 5 years of ID Experts’ credit monitoring and identity theft protection services," also says the published breach notice.

Photo Gallery (2 Images)

HealthEquity data breach
Number of individuals and exposed data
Open gallery