HealthEquity data breach affects 4.3 million people

HealthEquity is notifying 4.3 million people following a March data breach that affects their personal and protected health information.

In its data breach notice, filed with Maine’s attorney general, the Utah-based healthcare benefits administrator said that although the compromised data varies by person, it largely consists of sign-up information for accounts and information about benefits that the company administers.

HealthEquity said the data may include customer names, addresses, phone numbers, their Social Security number, information about the person’s employer and the person’s dependent (if any), and some payment card information. 

HealthEquity provides employees at companies across the United States access to workplace benefits, like health savings accounts and commuter options for public transit and parking. At its February earnings, HealthEquity said it had more than 15 million total customer accounts.

In its data breach notice, HealthEquity said it discovered the data breach after finding unauthorized access in an “unstructured data repository” outside of its core network that contained customers’ personal and health information. Some of the stolen data also includes information about diagnoses and prescriptions, the company said.

The notice said that the breach occurred because a user account of one of HealthEquity’s vendors was compromised and their password stolen, which was used by the malicious hacker to access the data repository.

When reached for comment, HealthEquity would not name the third-party vendor. The company previously told TechCrunch that the compromised third-party vendor account had access to “some of HealthEquity’s SharePoint data,” referring to Microsoft SharePoint, which allows companies to create their own internal intranets. 

Several other companies in recent years, including Activision, Snowflake, and Worldcoin, have experienced security incidents because of employee password theft, often by way of password-stealing malware, which scrapes the passwords and credentials found on an employee’s computer. Some password-stealing malware can skirt multi-factor authentication, a security feature that can block some password theft attacks, by stealing session tokens, which are stored on an employee’s computer to keep them persistently logged in. When stolen, session tokens can be used to gain access to the company’s network as if the hacker was that employee.

HealthEquity spokesperson Stacie Saltzgiver reiterated that the data breach was an “isolated incident” and confirmed that it was unrelated to the recent breaches of customer data held by cloud giant Snowflake.

HealthEquity has published a data breach notification on its website. When TechCrunch checked the website notice, HealthEquity included hidden “noindex” code on the page that tells search engines to ignore the webpage, effectively blocking affected individuals from finding HealthEquity’s data breach notice in search results. 

When asked by TechCrunch, the company’s spokesperson did not comment on the inclusion of the code.