On Tuesday, health technology services provider HealthEquity disclosed in a filing with federal regulators that it suffered a data breach in which hackers stole the “protected health information” of some customers.
In an 8-K filing with the SECThe company said it detected “abnormal behavior from a personal-use device belonging to a business partner” and concluded that the partner’s account had been compromised by someone who then used the account to access member information.
On Wednesday, HealthEquity revealed more details about the incident to TechCrunch. Amy Cerny, a spokesperson for HealthEquity, said in an email that this was an “isolated incident” that is not related to other recent breaches. like that of Change Healthcareowned by health care giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty told a House hearing that The breach affected ‘perhaps a third’ of all Americans.
HealthEquity detected the breach on March 25, when it “took immediate action, resolved the issue, and began a thorough data analysis, which was completed on June 10.” The company assembled “a team of external and internal experts to investigate and prepare the response.” The investigations determined that the breach was caused by the compromised third-party vendor account having access to “certain HealthEquity SharePoint data,” according to Cerny.
Contact us
Do you have more information about this HealthEquity breach? From a non-work device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase, and Wire @lorenzofb, or E-mail. You can also contact TechCrunch via Secure deposit.
SharePoint is a set of Microsoft tools that allows businesses to create websites and store and share internal information. essentially an intranet.
Cerny also said that “transactional systems, where integrations take place, were not affected,” and that the company is informing its partners, customers and members, and working with law enforcement and experts to prevent future incidents.
TechCrunch asked Cerny to specify what personally identifiable and “protected health” information was stolen in the breach, how many people were affected, and which partner was involved. Cerny declined to answer any of these questions.
Earlier this year, HealthEquity reported that the company and its subsidiaries “administer HSAs and other CDBs for our more than 15 million accounts in partnership with employers, benefits advisors and health and retirement plan providers.”
