On Tuesday, health technology services provider HealthEquity said in a filing with federal regulators that it suffered a data breach in which hackers stole “protected health information” from some of its customers.
In an 8-K filing with the SEC, the company said it detected “unusual activity on a business partner’s personal device” and concluded that the partner’s account had been compromised and that someone had used that account to access member information.
On Wednesday, HealthEquity shared more details about the incident with TechCrunch. In an email, HealthEquity spokeswoman Amy Cerny said the incident was an “isolated incident” and unrelated to other recent breaches, such as that of Change Healthcare, which is owned by healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty told a House hearing that the breach affected “probably a third” of all Americans.
HealthEquity detected the breach on March 25 and “took immediate action, remediated the issue, and initiated extensive data forensics that was completed on June 10.” The company “assembled a team of external and internal experts to investigate and prepare a response.” According to Cerny, the investigation revealed that the breach occurred because a compromised third-party vendor account had access to “some of HealthEquity’s SharePoint data.”
Contact Us
Do you have any additional information about this HealthEquity breach? You can securely contact Lorenzo Franceschi-Bicchierai on Signal at +1 917 257 1382 from a non-work device, or via Telegram, Keybase, and Wire @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.
SharePoint is a suite of Microsoft tools that allows companies to create websites to store and share internal information—essentially an intranet.
Cerny also said that “the trading systems where the integration occurred were not affected,” and that the company has notified its partners, customers and members, and is working with law enforcement and experts to prevent future incidents.
TechCrunch asked Cerny to elaborate on how personally identifiable information and “protected health” information was stolen in the breach, how many people were affected, and which partners were involved. Cerny declined to answer any of these questions.
Earlier this year, HealthEquity reported that the company and its subsidiaries “work with employers, benefits advisors, and health and pension plan providers to administer HSAs and other CDBs for more than 15 million accounts.”
