Health tech services provider HealthEquity suffered a security breach after a partner's account with access to some of HealthEquity’s SharePoint data was compromised, allowing hackers to steal customers’ private health information, an 8-K filing with the SEC federal regulators disclosed.
The company said it observed irregular behavior on a business partner’s “personal use device” and decided to launch an investigation. The breach was detected on March 25, and the investigation concluded on June 10.
The extensive inquiry revealed that hackers managed to compromise and leverage a third-party vendor account to infiltrate and steal data from HealthEquity's systems due to the compromised device’s partial access to HealthEquity’s information in SharePoint, a Microsoft toolset companies employ to create websites and store and share internal data.
The data that was stolen and the number of individuals affected by this security incident haven't been disclosed, but we do know transactional systems were not impacted. The health tech provider said the company started notifying impacted people, who will be provided with complimentary credit monitoring and identity restoration services.
HealthEquity says the company and its subsidiaries manage health savings accounts (HSA), flexible spending arrangements (FSA), health reimbursement arrangements (HRA), and other consumer-directed benefits (CDB) for over 15 million accounts in the United States in partnership with employers, benefits advisers, and health and retirement plan providers.
A collaboration with law enforcement and security experts aims to prevent these cyberattacks from happening again. A spokesperson said this security incident is not connected to other recent healthcare breaches.