Health Tech Company HealthEquity’s Customer Details Stolen in Data Breach 

• Healthcare fintech company HealthEquity disclosed a recent data breach that impacted sensitive customer information.
• An attacker managed to access and exfiltrate customer health information via a compromised account of a third party.
• The business partner’s account reportedly had access to HealthEquity’s SharePoint data.

Health tech services provider HealthEquity suffered a security breach after a partner's account with access to some of HealthEquity’s SharePoint data was compromised, allowing hackers to steal customers’ private health information, an 8-K filing with the SEC federal regulators disclosed.

The company said it observed irregular behavior on a business partner’s “personal use device” and decided to launch an investigation. The breach was detected on March 25, and the investigation concluded on June 10.

The extensive inquiry revealed that hackers managed to compromise and leverage a third-party vendor account to infiltrate and steal data from HealthEquity's systems due to the compromised device’s partial access to HealthEquity’s information in SharePoint, a Microsoft toolset companies employ to create websites and store and share internal data.

The data that was stolen and the number of individuals affected by this security incident haven't been disclosed, but we do know transactional systems were not impacted. The health tech provider said the company started notifying impacted people, who will be provided with complimentary credit monitoring and identity restoration services.

HealthEquity says the company and its subsidiaries manage health savings accounts (HSA), flexible spending arrangements (FSA), health reimbursement arrangements (HRA), and other consumer-directed benefits (CDB) for over 15 million accounts in the United States in partnership with employers, benefits advisers, and health and retirement plan providers.

A collaboration with law enforcement and security experts aims to prevent these cyberattacks from happening again. A spokesperson said this security incident is not connected to other recent healthcare breaches.