July 29, 2024 at 11:59AM
HealthEquity reported a cybersecurity incident compromising the data of 4.3M individuals, including sensitive health and personal information. The breach, discovered on March 9, 2024, was verified on June 26. The exposed data varies per person and includes full names, addresses, SSNs, and payment card information. HealthEquity secured the breached data repository and provided identity theft protection services to those affected.
Based on the meeting notes, the key takeaways are as follows:
– HealthEquity, a major HSA custodian in the U.S., suffered a cybersecurity incident that compromised the information of 4,300,000 individuals.
– The breach involved sensitive health and personally identifiable information, such as full names, home address, SSN, and payment card information (not numbers) of impacted individuals.
– The breach was attributed to threat actors using compromised credentials of a partner, resulting in unauthorized access to an unstructured data repository outside of HealthEquity’s core systems.
– HealthEquity has taken measures to secure the breached data repository, including termination of unauthorized sessions, blocking IP addresses of intruders, and implementing a global password reset for the affected vendor.
– Impacted individuals will receive data breach notifications, offering a two-year credit monitoring and identity theft protection service through Equifax, along with guidance on remaining vigilant and reviewing account statements for suspicious activity.
– As of now, no threat actors have claimed responsibility for the attack, and the stolen data has not been leaked online.