close
close
Skip to main content
metropolis
Data breach at HealthEquity could affect 4.3 million

Data breach at HealthEquity could affect 4.3 million

Vaseline 3 months ago

Dive briefing:

  • Health insurance administrator HealthEquity reported a data breach that may have exposed information on 4.3 million people, according to a report filed with the Maine attorney general last week.
  • A vendor’s user accounts that had access to a number of HealthEquity systems were compromised, the company said. The breach allowed an unauthorized third party to infiltrate a data repository outside of the core systems.
  • Names, contact information, employer information, Social Security numbers, health plan details, diagnoses, prescription information and details about HealthEquity benefits and accounts may have been exposed. Payment card information, but not the card number, may also have been compromised, a breach notice said.

Diving insight:

HealthEquity administers benefits such as health savings accounts, flexible spending accounts, health reimbursement plans, and COBRA health plans.

The company’s core offering is the HSA, which allows customers to save pre-tax money for future medical expenses. HealthEquity managed 8.7 million HSAs at the end of January, according to a securities filing.

The company said it noticed a “system anomaly” in March, and HealthEquity launched an investigation that lasted until June.

Towards the end of the In June, the company determined that some members’ protected health information or personally identifiable information may have been exposed in the breach. Some information was also transferred from the vendor’s systems, according to a securities filing by HealthEquity early this month.

“We took immediate, proactive, and cautious action since we first discovered an anomaly with our third-party vendor. This included quickly resolving the issue, assembling a team of external and internal experts to investigate, and preparing for a response,” a company spokesperson told Healthcare Dive.

The latest breach comes as cybersecurity becomes an increasing concern for the healthcare sector.

Major data breaches reported to HHS’s Office for Civil Rights affected more than 134 million people last year, a 141% increase from 2022. More and more breaches are the result of hacking or ransomware, a type of malware that locks users out of their data until a ransom is paid.

The industry has already seen multiple breaches this year affecting more than a million people, including health system Geisinger, pharmacy benefit manager Sav-Rx and health plan administrator WebTPA Employer Services.

The cyberattack on UnitedHealth’s technology provider and claims processing firm Change Healthcare could also pose a huge breach risk. UnitedHealth’s CEO estimated the attack compromised the data of a third of U.S. citizens during a congressional hearing in May.