3rd Party Risk Management
,
Governance & Risk Management
,
Healthcare
HealthEquity Says a Vendor’s Compromised Credentials Led to Data Theft Breach
Healthcare benefits plan administrator HealthEquity said hackers obtained sensitive data in a breach involving compromised credentials held by a third-party vendor. The incident did not disrupt company IT systems.
See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape
In a Tuesday filing with U.S. federal regulators, said the company “became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner.”
The company concluded that third-party vendor’s user account had been compromised by an unauthorized actor, who used that account to access information.
Some data was also determined to have been “transferred off the partner’s systems.” Information affected includes personally identifiable information and protected health information pertaining to certain HealthEquity benefits members.
The incident did not cause interruption to HealthEquity’s IT systems, services or business operations, and no malicious code was found in HealthEquity’s systems, the company said.
HealthEquity is in the process of notifying affected partners and clients, as well as identifying and notifying individual members whose information was affected by the incident.
It told the U.S. Securities and Exchange Commission that it doesn’t consider the event to have a “material adverse effect” of its business, operations, or financial results. It also disclosed filing a claim with a cyber insurance provider and its belief the policy should cover incident costs.
Draper, Utah-based HealthEquity on its website says more than 120,000 organizations and 14 million members use its benefits management services.
HealthEquity in a statement to Information Security Media Group said the third-party vendor had access to HealthEquity data kept on a SharePoint server.
As of Friday, the HealthEquity incident did not appear posted on the U.S. Department of Health and Human Services’ HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Another HealthEquity Incident, in Kentucky
In a separate, unrelated HealthEquity incident, Kentucky Gov. Andy Beshear’s personnel cabinet office in a June 21 statement said that it had been notified by the firm on May 14 that 449 individuals participating in Kentucky employees’ health plan was affected by a data security incident at the company.
HealthEquity administers flexible spending accounts and health reimbursement arrangements on behalf of the Kentucky employees’ health plan. Kentucky’s statement said HealthEquity determined the “potential fraud event” was presumed to involve “bad actors” who accessed the members’ accounts with the aim of receiving money from claim reimbursements.
“No personal identifying information, including Social Security numbers or bank account numbers, is known to have been compromised,” the statement said.
“Although the HealthEquity member portal masks personally identifiable information and existing bank account information, it does provide the ability to view previously submitted reimbursement claims, which may contain PHI and/or PII,” the Kentucky government’s statement said.
“However, no evidence supports that the bad actors viewed any prior claims documentation in the affected account.”
HealthEquity is investigating whether any claim reimbursements were fraudulently submitted or redirected, and has pledged to restore any member accounts to the prior balance if the firm determines that any HRA or FSA member funds were affected, the Kentucky statement said.
There is there no evidence that the state’s human resources IT systems or data was compromised in the incident, Kentucky’s statement said.
HealthEquity told ISMG that the breach reported to the SEC involving the third-party compromise HealthEquity is an “isolated incident” and unrelated to the Kentucky incident.