Healthcare fintech firm HealthEquity is warning that it suffered a data breach after a partner’s account was compromised and used to access the Company’s systems to steal protected health information.
The Company says it detected the compromise after detecting ‘anomalous behavior’ from a partner’s personal device and launched an investigation into the incident.
The investigation revealed that the partner had been compromised by hackers who leveraged the hijacked account to gain unauthorized access to HealthEquity’s systems and, later, exfiltrate sensitive health data.
“The investigation concluded that the Partner’s user account had been compromised by an unauthorized third party, who used that account to access information,” reads the SEC filing.
“The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members.”
“The investigation further concluded that some information was subsequently transferred off the Partner’s systems.”
HealthEquity specializes in providing health savings account (HSA) services and other consumer-directed benefits solutions, including flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.
It is one of the largest HSA custodians in the United States, managing millions of HSA, FSA, HRA, and other benefit accounts, and working with numerous employers and health plans.
The exact impact and number of people affected by the security incident haven’t been disclosed, though HealthEquity says it has begun notifying impacted individuals.
The Company also promised to offer complimentary credit monitoring and identity restoration services to mitigate the risk for exposed people.
HealthEquity’s internal investigation has not produced evidence that malware was dropped on its systems, and there have been no technical interruptions. All business operations and services remain fully available.
The Company is currently evaluating the incident’s impact and the cost of its response efforts but noted that it does not believe the incident will have a material effect on its business or financial results.