HealthEquity Reports Data Breach Impacting Over 4.3 Million Individuals

In a recent development, HealthEquity has notified 4.3 million people about a March data breach that compromised their personal and protected health information.

What Happened?

According to the data breach notice filed with Maine’s attorney general, HealthEquity discovered unauthorized access in an "unstructured data repository" outside of its core network, which contained customers’ personal and health information. The stolen data includes customer names, addresses, phone numbers, Social Security numbers, employer information, dependent information (if applicable), and some payment card details.

Scope of the Breach

HealthEquity’s notification states that the affected individuals are those who have accounts with HealthEquity, which provides employees at companies across the United States access to workplace benefits, such as health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity reported having more than 15 million total customer accounts.

How Did It Happen?

HealthEquity’s investigation revealed that a user account of one of their vendors was compromised, allowing the malicious hacker to access the data repository. When questioned about the incident, HealthEquity refused to name the third-party vendor involved. In previous statements, the company mentioned that the compromised vendor account had access to "some of HealthEquity’s SharePoint data," referring to Microsoft SharePoint, which enables companies to create internal intranets.

Similar Incidents

This is not an isolated incident. Several other companies have experienced security incidents due to employee password theft, often through password-stealing malware that scrapes passwords and credentials found on an employee’s computer. Password-stealing malware can bypass multifactor authentication by stealing session tokens stored on the employee’s computer.

HealthEquity’s Response

Stacie Saltzgiver, HealthEquity spokesperson, described the data breach as an "isolated incident" and confirmed that it was unrelated to recent breaches of customer data held by cloud giant Snowflake. HealthEquity has published a data breach notification on its website, which includes hidden "noindex" code that instructs search engines to ignore the web page, effectively blocking affected individuals from finding HealthEquity’s data breach notice in search results.

Cybersecurity Concerns

The inclusion of "noindex" code raises questions about transparency and accountability. When asked by TechCrunch, HealthEquity’s spokesperson did not comment on this aspect. The incident highlights the importance of robust cybersecurity measures, including multifactor authentication and regular security audits.

Related News

• Tesla to split $100M award for electric truck charging corridor in Illinois
• Bluesky is getting its own photo-sharing app, Flashes
• UnitedHealth hid its Change Healthcare data breach notice for months

Stay Informed

To stay up-to-date with the latest news and developments in cybersecurity, follow these sources:

• TechCrunch Daily News
• TechCrunch AI
• Startups Weekly