Popular HSA Administrator, HealthEquity, Suffers Data Breach Involving SSNs and Health Data

Estimated Reading Time: 4 Minutes

HealthEquity, Inc. touts that they are America’s #1 Health Savings Account (HSA) administrator, pointing to a Devenir HSA Research Report published in March 2023 as proof. The company also provides other workplace benefits like dependent care and commuter benefits.

The company is in the midst of notifying some 4.3 million individuals that their sensitive information was hacked, including:

• First names,
• Last names,
• Addresses,
• Telephone numbers,
• Employee IDs,
• Employers,
• Social Security numbers,
• Health card numbers,
• Health plan member numbers,
• General contact information for dependents (if any),
• HealthEquity benefit type,
• Diagnoses,
• Prescription details,
• Payment card information (but not payment card number), and/or
• HealthEquity account type.

That’s a long (and serious) list of data types, but HealthEquity did note that not all data categories were affected for every member. The company says that the compromised data was primarily sign-up information for accounts and benefits that it administers.

HealthEquity Data Breach: What Happened?

In a recent filing with Maine’s Attorney General’s office, HealthEquity confirmed that although the hack occurred in early March of this year, they weren’t able to validate what was compromised until the end of June. Regarding how they were made aware of the hack, the HSA administrator simply says they received an alert on March 25 of a “systems anomaly.”

Their investigations determined that hackers gained access to sensitive personal and health data after using a partner’s compromised credentials. To date, the partner whose login credentials were compromised, which allowed this hack to happen, has not been named; however, we do know that these credentials gave the malicious actors access to HealthEquity’s internal Microsoft SharePoint system.

HealthEquity says it has secured the affected data repository, disabled all potentially compromised vendor accounts, terminated all active sessions, and blocked all IP addresses linked to the threat actor's activity. They also say they’ve implemented a global password reset for the impacted vendor.

The Aftermath of the HealthEquity Data Breach: Tips for Your Customers

While HealthEquity says they have arranged for free “credit identity monitoring, insurance and restoration services” for those impacted by the data breach, these services will expire in two years. Damage from this type of leaked information will ultimately affect impacted customers for the rest of their lives. If your organization partners with HealthEquity for workplace benefits or any of your customers utilize the administrator, it’s imperative that action be taken immediately. For those that have access to Iris’ portal, we suggest that your customers (or employees):

• Navigate to the Fraud Protection Center for resources on placing a fraud alert on your credit report to help prevent new account openings without your consent.
  • You will also notice resources to help you place a security freeze on your credit file so no new credit can be opened in your name.
    
    
  • Our 24/7 Identity Theft Resolution team is available if you ever need any help.
    
    
• Ensure that key Identity Monitoring items are being monitored, such as:
  • Phone number(s)
  • Social Security number
  • License number
  • Email address(es)
  • Mailing address(es)
  • Passwords
  • Health plan member number

Phishing and vishing attacks capitalizing on a high-risk hack such as the HealthEquity hack are common (and they may even target non-victims). For this reason, we also suggest:

• Beware of phishing emails. Scammers will often impersonate people or brands you know, and use themes that require urgent attention, such as missed deliveries, account suspensions, and security alerts.
  
  
• Watch out for fake vendors. Thieves may contact you posing as the vendor. Check the vendor website to see if they are contacting victims and verify any contacts using a different communication channel.
  
  
• Enable two-factor authentication where possible. This provides an extra layer of protection and is information that can’t be phished.
  
  
• Change your passwords for any health or benefits-related accounts. It’s a good practice to routinely change passwords anyway, and, as we see from this breach, hackers are very much after this kind of data.
  
  
• Keep a close eye on your financial accounts. This hack did include some financial data, so always make sure all transactions shown on your statements are valid.

Lastly, if you’ve been wondering if it makes sense to offer identity protection services to your employees or customers, the answer is always yes! Make sure you find a provider that offers comprehensive identity monitoring services that will send alerts as soon as any compromised credentials or personal information is detected on the dark web. It’s also important to find one that provides 24/7 resolution services.  We’ve noticed many identity protection providers putting less emphasis on this important service, forcing customers who need expert support to jump through hoops (and/or wait a very long time) just to speak to someone.

At Iris, our customers wait, on average, just 13 seconds when they call in, and they’re treated with compassion and empathy – each and every time.