On Tuesday, health technology services provider HealthEquity disclosed in a filing with federal regulators that it had a data breach, in which hackers stole “secure health information” of some customers.
In an 8-K filing with the SEC, the company said it discovered “anomalous behavior on a business partner's personal device,” and concluded that the partner's account had been compromised by someone who then used the account to access members. information.
On Wednesday, HealthEquity disclosed more details of the incident with TechCrunch. HealthEquity spokeswoman Amy Cerny said in an email that this was an “isolated incident” not connected to other recent breaches, such as the one at Change Healthcare, which is owned by healthcare giant UnitedHealth. In May, UnitedHealth CEO Andrew Witty said in a House hearing that the breach affected “probably a third” of all Americans.
HealthEquity discovered the breach on March 25, when it “took immediate action, resolved the issue, and began a comprehensive data investigation, which was completed on June 10.” The company assembled “a team of external and internal experts to investigate and prepare a response.” The investigation found that the breach was due to a compromised third-party merchant account having access to “some of HealthEquity's SharePoint data,” according to Cerny.
contact us
Do you have more information about this HealthEquity breach? On a non-working device, you can contact Lorenzo Franceschi-Bicchierai securely on Signal at +1 917 257 1382, or via Telegram, Keybase and Phone @lorenzofb, or via email. You can also contact TechCrunch via SecureDrop.
SharePoint is a collection of Microsoft tools that allow companies to create websites, as well as store and share information internally – essentially an intranet.
Cerny also said that “transaction plans, where the merger took place, were not affected,” and that the company informed its partners, clients and members, and was working with law enforcement and experts to work on preventing future incidents.
TechCrunch asked Cerny to specify what personally identifiable and “protected health” information was stolen in the breach, how many people were affected and which partner was involved. Cerny refused to answer all these questions.
Earlier this year, HealthEquity reported that the company and its subsidiaries “manage HSAs and other CDBs in our more than 15 million accounts in partnership with employers, benefits advisors, and health and retirement plan providers.”
Source link
