HealthEquity is notifying 4.3 million people following a March data breach affecting personal and protected health information.
In a data breach notification filed with the Maine Attorney General, the Utah-based health benefits management company said that while the exposed data varies by individual, most of it is account registration information and information about benefits managed by the company.
HealthEquity said the data could include customers' names, addresses, phone numbers, Social Security numbers, information about their employers and dependents (if they have any), and some payment card information.
HealthEquity provides employees of companies across the U.S. with access to workplace benefits such as health savings accounts and commuter options for public transportation and parking. In its earnings call in February, HealthEquity announced that its total customer accounts now exceed 15 million.
HealthEquity said in a data breach notice that it discovered the breach after it discovered unauthorized access to an “unstructured data repository” outside its core network that contained personal and health information about customers. The stolen data also included information about diagnoses and prescriptions.
According to the notice, the breach occurred when a user account for one of HealthEquity's vendors was compromised and its password was stolen and used by malicious hackers to access a data repository.
HealthEquity did not name the third-party vendor when reached for comment. The company previously told TechCrunch that the compromised third-party vendor's account had access to “a portion of HealthEquity's SharePoint data,” a reference to Microsoft SharePoint, which allows companies to create their own internal intranets.
In recent years, several other companies, including Activision, Snowflake, and Worldcoin, have also experienced security incidents due to stolen employee passwords. Many of these incidents are due to password-stealing malware that scrapes passwords and credentials on employee computers. Some password-stealing malware circumvents multi-factor authentication, a security feature that can block some password-stealing attacks, by stealing session tokens that are stored on employee computers and used to keep employees permanently logged in. Stolen session tokens can be used by hackers to gain access to the company network as if they were employees.
HealthEquity spokesperson Stacey Salzgiver reiterated that the data breach was an “isolated incident” and confirmed that it was unrelated to the recent breach of customer data held by cloud giant Snowflake.
HealthEquity published a data breach notice on its website: A review of the website notice by TechCrunch revealed that HealthEquity had included hidden “noindex” code on its pages that instructed search engines to ignore the webpages, effectively blocking affected individuals from finding HealthEquity's data breach notice in search results.
When contacted by TechCrunch, a company spokesperson declined to comment on the inclusion of the code.