Dive Brief:
- Health benefits administrator HealthEquity reported a data breach that may have exposed information from 4.3 million people, according to a notification filed last week with Maine’s attorney general.
- A vendor’s user accounts that had access to some of HealthEquity’s systems were compromised, the company said. The breach allowed an unauthorized third party to infiltrate a data repository outside its core systems.
- Names, contact information, employer information, Social Security numbers, health plan details, diagnoses, prescription information and details about HealthEquity benefits and accounts may have been exposed. Payment card details, though not the card number, also may have been compromised, according to a breach notice.
Dive Insight:
HealthEquity manages benefits such as health savings accounts, flexible spending accounts and health reimbursement arrangements, and COBRA health plans.
The company’s core offering is the HSA, which allows customers to save pretax money for future medical expenses. HealthEquity administered 8.7 million HSAs as of the end of January, according to a securities filing.
The company said it noticed a “systems anomaly” in March, and HealthEquity launched an investigation that lasted until June.
By the end of the June, the company determined some members’ protected health information or personally identifiable information could have been exposed in the breach. Some information was also transferred off of the vendor’s systems, according to a securities filing from HealthEquity early this month.
“We have taken immediate, proactive, and prudent action since we first discovered an anomaly with our third-party vendor. This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for response,” a company spokesperson told Healthcare Dive, HR Dive’s sister publication.
The latest breach comes as cybersecurity becomes an increasingly pressing concern for the healthcare sector.
Large data breaches reported to the HHS’ Office for Civil Rights affected more than 134 million people last year, a 141% increase from 2022. A growing number of breaches involve hacking or ransomware, a type of malware that denies users access to their data until a ransom is paid.
The industry has already seen multiple breaches affecting more than a million people this year, including at health system Geisinger, pharmacy benefit manager Sav-Rx and health plan administrator WebTPA Employer Services.
The cyberattack against UnitedHealth-owned technology vendor and claims processing firm Change Healthcare could also pose a huge breach risk. UnitedHealth CEO estimated the attack compromised the data of a third of U.S. individuals at a Congressional hearing in May.