Dive Overview:
Health benefits management company HealthEquity reported a data breach that may have exposed the personal information of 4.3 million people, according to a notice filed with the Maine Attorney General last week. The company said vendor user accounts with access to some of HealthEquity’s systems were compromised. The breach allowed unauthorized third parties to access data repositories outside of core systems. Names, contact information, employer information, Social Security numbers, health plan details, diagnoses, prescription information, and details about HealthEquity benefits and accounts may have been exposed. Payment card details may also have been exposed, although not card numbers, according to the breach notice.
Dive Insights:
HealthEquity administers employee benefits such as health savings accounts, flexible spending accounts, health reimbursement agreements and COBRA health plans.
The company’s flagship product is the HSA, which allows customers to put aside pre-tax money for future medical expenses. HealthEquity managed 8.7 million HSAs as of the end of January, according to securities filings.
The company said it noticed a “system anomaly” in March and HealthEquity began its investigation into the matter through June.
By the end of June, the company determined that the breach may have exposed some of its members’ protected health information or personally identifiable information. Some of the information was transferred from a vendor’s systems, according to a securities filing HealthEquity made earlier this month.
“Since first discovering the third-party vendor anomalies, we have taken swift, aggressive and prudent action, including quickly resolving the issue, assembling a team of external and internal experts to investigate, and preparing a response,” a company spokesperson told Healthcare Dive.
The breach comes at a time when cybersecurity has become an increasingly pressing concern in the healthcare sector.
Massive data breaches reported to the Department of Health and Human Services’ Office for Civil Rights affected more than 134 million people last year, up 141% from 2022. Breaches caused by hacks and ransomware (a type of malware that denies access to users’ data until a ransom is paid) are on the rise.
The industry has already seen multiple breaches this year affecting more than a million people, including at health system Geisinger, pharmacy benefits manager Sav-Rx and health plan management company WebTPA Employer Services.
A cyberattack on Change Healthcare, a technology vendor and claims processor owned by UnitedHealth, also poses a significant data exposure risk: UnitedHealth’s CEO estimated at a congressional hearing in May that the attack compromised the data of one-third of Americans.