HealthEquity has fallen victim to a significant data breach following a cyber attack that has impacted approximately 4.3 million individuals.

The healthcare FinTech company revealed on Monday that it had discovered unauthorized access to personal and health information within an unstructured data repository outside of its core systems.

The compromised data included health information as well as PII (personal identifying information) such as addresses, phone numbers, and payment data.

The data breach was initially identified on March 25th, but the full extent of the breach wasn't determined until this week It was discovered when HealthEquity flagged 'anomalous behaviour' from a partner's personal device. Their team quickly launched a full investigation into the potential breach, revealing their findings in an SEC filing. 

The partner account was confirmed to have been hacked by an unnamed party. The SEC filing confirms that ‘The investigation concluded that the Partner's user account had been compromised by an unauthorized third party, who used that account to access information.”

The breach was facilitated by a compromised third-party account that provided access to ‘“some of HealthEquity’s SharePoint data.”

SharePoint is a Microsoft platform designed to organize and share information within a company. It functions as a digital workspace for teams to collaborate on documents and projects.

HealthEquity says it has begun the process of notifying affected individuals. The company has also claimed it will offer complimentary credit monitoring and identity restoration services to mitigate the ongoing risk for affected parties. 

Commenting on the breach, Sergio Figueroa Santos, senior security consultant at the Synopsys Software Integrity Group, told EM360Tech, “Unfortunately, in many security activities, these external services can be blurred as "implementation details" or "part of someone else's scope," which effectively means that responsibility falls through everyone's hands like sand. And even when someone picks up the burden, it is a tall order. The main reason for this is that service providers seldom have incentives to adjust their behaviour after a contract is signed, which means that any security-relevant requirements must be agreed before that point.”

Internal investigations conducted by Health Equity concluded that there was no evidence to suggest that malware had been deposited on its systems. There is also no interruption to operations with all services remaining fully available throughout the process. Their conclusions note that there will not be a significant impact on the finances of the business.

HealthEquity spokesperson Amy Cerny told TechCrunch that the data breach was “an isolated incident” and it is not connected to other recent breaches, such as Change Healthcare.

What is HealthEquity?

HealthEquity is a financial technology company that specializes in managing Health Savings Accounts (HSAs).

They hold customers' HSA funds and ensure they are invested or saved according to their preferences. They also host and provide tools to help customers track their HSA balance, contributions, and withdrawals as well as offering resources about HSA’s to help people make informed decisions.

What to do if your data has been leaked?

HealthEquity has confirmed that they are in the process of notifying affected individuals and will offer complimentary credit monitoring and identity restoration services to mitigate the ongoing risk.

"There are several technical mechanisms that can reduce the risks of specific attacks. For example, data encryption controlled by the owners of the application could reduce the risk of a malicious service provider peeking over the data. Or an effective log monitoring strategy can flag malicious attempts to read the data.

 But the essence of the issue comes back to an adage that is an old favorite of the security community: the chain breaks by its weakest link. If the security of your service provider is not at least as robust as your own, that service that you expected to give you peace of mind will become a liability. 

Work with your providers to ensure you understand their security practices because even if a security incident happens because of them, it is your name that will make the headlines." Sergio Figueroa Santos, senior security consultant at the Synopsys Software Integrity Group, told EM360Tech.

The most important thing you can do is change any passwords, particularly if you have reused passwords used for your HealthEquity accounts.

After changing your passwords ensure that you set up multi-factor authentication. This adds an extra layer of protection to your accounts, making it much harder for hackers to gain access. MFA requires you to provide two or more pieces of evidence to verify your identity when you log in. Even if threat actors have been able to access your HealthEquity password they will not be able to log in without further authentication.

Ensure you are vigilant about potential phishing emails. Scammers might use the breach to send emails pretending to be HealthEquity. These emails attempt to trick you into clicking on dangerous links. Don't click on any links or attachments and be wary of emails urging immediate action.

Finally, make sure to monitor your financial accounts - which is good general practice. Keep an eye out for any unusual activity on your bank statements. If you notice anything suspicious, report it to your bank immediately.