Health technology services provider HealthEquity on Tuesday disclosed in a federal regulatory filing that it had fallen victim to a data breach in which hackers stole “protected health information” of some of its customers.
In an 8-K filing with the SEC, the company said it had detected “unusual activity from a business partner's personal device” and concluded that someone had compromised the partner's account and used it to access members' information.
HealthEquity shared details of the incident with TechCrunch on Wednesday. HealthEquity spokesperson Amy Cerny said in an email that it was an “isolated incident” and not related to other recent data breaches, such as at Change Healthcare, which is owned by health care giant UnitedHealth. UnitedHealth CEO Andrew Whitty said at a House of Representatives hearing in May that the breach affected “probably a third” of all Americans.
HealthEquity discovered the breach on March 25 and “took immediate action to remediate the issue and initiated an extensive data forensic investigation that was completed on June 10.” The company “assembled a team of external and internal experts to investigate and prepare for our response.” According to Cerny, the investigation determined that the breach was the result of a compromised third-party vendor account that accessed “some of HealthEquity's SharePoint data.”
Contact Us Do you have more information about the HealthEquity breach? You can securely contact Lorenzo Franceschi-Bicchierai from a non-work device via Signal (+1 917 257 1382), Telegram, Keybase, Wire @lorenzofb, or email. You can also contact TechCrunch via SecureDrop.
SharePoint is a set of Microsoft tools that allows businesses to create websites and store and share internal information – essentially an intranet.
Cerny also said that “the transactional systems through which the integration takes place were not affected,” and that the company has notified partners, customers and members, and is working with law enforcement and experts to prevent future incidents.
TechCrunch asked Cerny about what personal and “protected health” information was stolen in the breach, how many people were affected, which partners were involved, etc. Cerny declined to answer all of these questions.
Earlier this year, HealthEquity reported that the company and its subsidiaries “partner with employers, benefits advisors, and health and retirement plan providers to manage HSAs and other CDBs for more than 15 million accounts.”