Cyber Incident Victim: HealthEquity
Date:
Sep 2018
Location:
United States of America
Summary
A cybersecurity incident at HealthEquity involved unauthorized access to two employee email accounts, compromising protected health information and personally identifiable data of approximately 21,000 subscribers. The breach exposed names, employer details, health plan enrollment information, and account types, though forensic analysis confirmed no broader system impact beyond the compromised email accounts. This marked a subsequent breach following an earlier phishing incident affecting a similar number of individuals. While investigators found no evidence of data viewing, the organization provided affected customers with multi-year identity theft protection and credit monitoring services as a precautionary measure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The HealthEquity data breach occurred between September 4 and October 5, 2018, when an unauthorized intruder accessed two employee email accounts. The first account was compromised between September 4 and October 3, while the second experienced unauthorized access on October 5. HealthEquity, a non-bank health savings trustee managing over 3.4 million accounts and serving approximately 40,000 companies, discovered that protected health information (PHI) and personally identifiable information (PII) of 20,906 subscribers was exposed. The compromised data included employee names, employer names, specific health plans, account types such as Health Savings Accounts (HSA) and Health Reimbursement Arrangements (HRA), and health plan enrollment details. Forensic investigation confirmed the breach was limited to these two email accounts with no evidence of broader system compromise.
This incident marked the second breach HealthEquity experienced in 2018, following a June phishing attack that exposed PHI of 23,000 subscribers. The organization notified affected individuals and offered five years of identity theft protection and credit monitoring through ID Experts. While investigators found no proof that the intruder viewed emails, HealthEquity acknowledged they couldn't eliminate that possibility. The breach notification emphasized that core account systems remained unaffected, with no evidence of misuse of the exposed data. HealthEquity's response included engagement of forensic experts to confirm the breach scope and implementation of additional security measures for email accounts.