Cyber Incident Victim: HealthEquity

On or around June 15, 2023, HealthEquity became aware of a vulnerability associated with its third-party software provider, MOVEit. The specific vulnerability was related to the SFTP functionality of the MOVEit software. The company took immediate action upon discovery, patching the identified vulnerability within a 24-hour period. This rapid response was intended to minimize any potential disruption to its systems and to protect customer data. The patching action was a primary step in addressing the immediate security threat posed by the vulnerability.

Following the initial patching, HealthEquity conducted a thorough investigation to determine if any data exposure had occurred as a result of the vulnerability. The investigation focused on determining whether any personally identifiable information or client data had been accessed or exfiltrated. The company’s internal review concluded that there was no evidence of exposure of such data at that time. This investigation was a critical component of the company's response, aiming to assess the scope and impact of the incident on its systems and the data it manages for its clients and members.

HealthEquity was initially named publicly as an entity impacted by the broader MOVEit vulnerability. However, subsequent to its investigation and remediation efforts, the company’s status changed. As of May 31, 2023, with an update added on June 16, HealthEquity announced it had been removed from the list of impacted organizations related to the SFTP MOVEit vulnerability. This removal suggests that external entities, potentially including the software vendor or security researchers, concurred with the company's assessment that no data breach had occurred from this specific incident.

The company’s stated commitment was to maintain transparency with its customers throughout the event. It publicly communicated its actions and findings via a security update posted on its corporate blog. The update acknowledged the vulnerability and outlined the steps taken, including the swift patching and the investigation that found no evidence of data exposure. The communication emphasized that the incident resulted in minimal disruption to members, clients, and partners, indicating that core business operations were not significantly affected.

In response to the incident, HealthEquity stated it would continue to monitor its systems and deploy increased security measures and capabilities across its platforms. This ongoing effort was described as part of a strategy to help detect and prevent further threat activity. The company also noted it was working with its partners to enhance security measures collectively. The overall response was framed within the context of the company's broader responsibility to protect the confidentiality, integrity, and security of customer data, systems, and applications. The incident involved a third-party software vulnerability and did not originate from a direct breach of HealthEquity's internal infrastructure. The focus of the response was on mitigating the vulnerability provided by the third-party tool to prevent any potential data compromise. The company’s actions were reactive to a global vulnerability disclosure affecting many organizations using the MOVEit software, rather than a targeted attack against HealthEquity itself. The confirmed impact was limited to the presence of the vulnerability itself, which was promptly remediated, with no subsequent evidence found of any data access or theft resulting from it.