close
close

According to HealthEquity, the data breach is an “isolated incident”

On Tuesday, health technology services provider HealthEquity disclosed in a filing with U.S. regulators that it had suffered a data breach in which hackers stole the “protected health information” of some customers.

In an 8-K filing with the SEC, the company said it had observed “anomalous behavior on a business partner’s personal device” and concluded that the partner’s account had been compromised by someone who then used the account to access members’ information.

On Wednesday, HealthEquity provided more details of the incident to TechCrunch. HealthEquity spokeswoman Amy Cerny said in an email that it was an “isolated incident” not related to other recent data breaches, such as that of Change Healthcare, owned by healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty told a House hearing that the data breach affected “maybe a third” of all Americans.

HealthEquity discovered the data theft on March 25 and “immediately took action, remediated the issue, and began a comprehensive data forensics effort that was completed on June 10.” The company “assembled a team of external and internal experts to investigate the incident and prepare a response.” The investigation found that the data theft was due to the compromised third-party account having access to “some of HealthEquity’s SharePoint data,” Cerny said.

Contact us

Do you have more information about this HealthEquity breach? From a personal device, you can contact Lorenzo Franceschi-Bicchierai securely via Signal at +1 917 257 1382 or via Telegram, Keybase, and Wire @lorenzofb or via email. You can also contact TechCrunch via SecureDrop.

SharePoint is a set of Microsoft tools that enable companies to create websites and store and share internal information – essentially an intranet.

Cerny also said that “transaction systems where integrations occur were not affected” and that the company is notifying partners, customers and members and working with law enforcement and experts to prevent future incidents.

TechCrunch asked Cerny to specify what personal and “protected health information” was stolen in this data breach, how many people were affected and which partner was involved. Cerny declined to answer all of these questions.

Earlier this year, HealthEquity reported that the company and its subsidiaries “manage HSAs and other CDBs for our more than 15 million accounts in partnership with employers, benefit advisors and health and retirement plan providers.”