Financial technology and business services provider HealthEquity based in Draper, UT encountered a cyberattack that exposed SharePoint data, including protected health information (PHI). HealthEquity offers the following services: health savings account (HSA), and consumer-focused benefits solutions, such as health reimbursement arrangements (HRAs). It handles many HRAs, HSAs, and other benefit accounts.
HealthEquity revealed in its recent Securities and Exchange Commission (SEC) 8-K filing that it discovered anomalous activities in the device of a business partner. The initial investigation showed a breach of the third-party device, and a hacker used the device to view some members’ SharePoint data. Malware was not found to have impacted HealthEquity’s systems and business operations. Although the company is still checking the financial effect of the breach, it believes that the attack will not seriously impact its business or financial services.
HealthEquity discovered the breach on March 25, 2024, and took quick action to stop the unauthorized access. A forensic investigation was conducted to identify the scope of the breach, which showed an unauthorized person accessed and stole SharePoint data in HealthEquity. The transactional systems used by HealthEquity for integrations were not impacted. Affected partners, clients, and members have started receiving notification letters and offers of free identity theft protection and credit monitoring services. The scope of the breach and the types of data exposed were not yet publicly announced.
HealthEquity spokesperson Amy Cerny told TechCrunch on July 3 that the breach was an isolated case. It is not linked to other attacks, like the Change Healthcare attack. The investigation showed that the incident was caused by a breach of a third-party vendor account with access to some SharePoint data in HealthEquity.
This data breach is a reminder of the importance of cybersecurity and adherence to HIPAA laws. Seeing the many high-profile breaches at healthcare providers in the past few weeks, it is likely that many fail to implement HIPAA compliance.