HealthEquity Inc., a prominent Health Savings Accounts administrator in the United States, has recently disclosed a significant data breach involving unauthorized access to sensitive information.
This incident was made public via a Form 8-K filing with the Securities and Exchange Commission (SEC), which is a report that companies must submit to inform shareholders about important events.
The company specializing in financial technology and business services. It has been recognized by the IRS as a non-bank health savings trustee.
HealthEquity has the ability to serve as the custodian for health savings accounts, no matter which financial institution the funds are deposited with.
The breach was discovered earlier this year while monitoring for unusual activity on a device used by a business partner of HealthEquity.
It was discovered that an unauthorized third party had gained access to the business partner's account, allowing them to retrieve personal and health information of HealthEquity's clients and members.
FULL STATEMENT:
Earlier this year, HealthEquity, Inc. (the "Company") became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner (the "Partner"). The Company promptly took steps to isolate and triage the issue and began an investigation into the nature and scope of the issue. The investigation concluded that the Partner's user account had been compromised by an unauthorized third party, who used that account to access information. The accessed information included some personally identifiable information, which in some cases is considered protected health information, pertaining to certain of our members. The investigation further concluded that some information was subsequently transferred off the Partner's systems. The Company has taken steps to strengthen its security environment, including with respect to the compromised Partner account and the recommended actions of its incident response firm.
The data that has been compromised includes sensitive health information and personal identification details.
The Form 8-K reveals that an unauthorized party took advantage of the partner's account to transfer the data from the partner's system.
HealthEquity has responded quickly to the breach. The company is conducting a thorough investigation to fully grasp the extent of the breach and assess the compromised data.
The company has made efforts to improve its security measures and prevent future breaches.
HealthEquity also does not report of any financial losses during the data breach when the unauthorized user had control of the account.
The information about the unauthorized party who has taken control of the business partner's account is lacking in detail, as is the general information about the business partner.
It is commonly understood that the mentioned account possesses major credentials within the company's business infrastructure and systems.
HealthEquity Inc has not provided a direct explanation to the public about the alleged issue.
On the contrary, they filed a Form 8-K to the SEC, which was subsequently made public.