Healthcare fintech company HealthEquity announced a 2024 data breach this month and has now disclosed that 4.3 million people were affected, as per a data breach notice.
The exposed personal information includes full name, home address, phone number, Social Security Number (SSN), general dependent information, employer and employee ID, and payment card information that does not include card numbers.
HealthEquity will provide identity theft protection services through Equifax, including free credit monitoring, insurance, and restoration services for two years. The written notice will be sent to affected people on August 9.
The security incident occurred on March 9 and was discovered on June 26. It did not impact transactional systems. No cybercriminals have claimed the HealthEquity attack, and stolen data has not been leaked yet.
An attacker accessed and exfiltrated sensitive customer health details via a compromised account of an unnamed third party that reportedly had access to HealthEquity’s data in SharePoint, a Microsoft toolset companies employ to create websites and store and share internal data.
The company said it launched an investigation after observing irregular behavior on a business partner’s “personal use device.” No other details have been disclosed on the attack.
HealthEquity and its subsidiaries handle over 15 million American accounts’ health savings accounts (HSA), flexible spending arrangements (FSA), health reimbursement arrangements (HRA), and other consumer-directed benefits (CDB) in partnership with employers, benefits advisers, and health and retirement plan providers.
A spokesperson said this security incident is not connected to other recent healthcare breaches.