On Tuesday, health tech services provider HealthEquity revealed in a filing with federal regulators that it had experienced a data breach, resulting in hackers stealing the “protected health information” of some customers.
In an 8-K filing with the SEC, the company reported detecting “anomalous behavior by a personal use device belonging to a business partner.” HealthEquity concluded that the partner’s account had been compromised and used to access members’ information.
On Wednesday, HealthEquity provided more details of the incident. HealthEquity spokesperson Amy Cerny stated in an email that this was “an isolated incident” and not connected to other recent breaches, such as the one affecting Change Healthcare, owned by UnitedHealth. In May, UnitedHealth CEO Andrew Witty mentioned in a House hearing that the breach impacted “maybe a third” of all Americans.
HealthEquity detected the breach on March 25 and took immediate action, resolving the issue and initiating extensive data forensics, which were completed on June 10. The company assembled a team of external and internal experts to investigate and prepare for response. The investigations determined that the breach was due to the compromised third-party vendor account accessing “some of HealthEquity’s SharePoint data,” according to Cerny.
SharePoint is a set of Microsoft tools that allows companies to create websites and store and share internal information, essentially functioning as an intranet.
Cerny further noted that “transactional systems, where integrations occur, were not impacted.” The company is notifying partners, clients, and members, and has been collaborating with law enforcement and experts to prevent future incidents.
When asked to specify what personally identifiable and “protected health” information was stolen, the number of affected individuals, and the identity of the involved partner, Cerny declined to answer.
Earlier this year, HealthEquity reported that the company and its subsidiaries “administer HSAs and other CDBs for our more than 15 million accounts in partnership with employers, benefits advisers, and health and retirement plan providers.”