A massive data breach at HealthEquity has compromised the personal and health information of 4.3 million individuals. The Utah-based healthcare benefits administrator disclosed the incident in a notice filed with Maine's attorney general.
Sensitive Data Exposed in HealthEquity Breach
(Photo : Hush Naidoo Jade Photography from Unsplash)
American fintech giant HealthEquity which administers Health Savings Accounts for over 12 million people, has been hacked with 4.3 million accounts affected.
The compromised data varies among affected individuals but primarily includes account sign-up information and details about benefits administered by HealthEquity. Worryingly, the breach also exposed sensitive information such as Social Security numbers, addresses, phone numbers, employer details, dependent information, and even partial payment card data, according to the latest data breach notice.
HealthEquity's role as a benefits administrator grants employees across the United States access to essential workplace perks like health savings accounts and commuting options. With over 15 million total customer accounts, the scale of this breach is alarming.
Related Article: HealthEquity Reports Data Breach, Hackers Steal Sensitive Patient Info via Compromised Account
Third-Party Vendor Account Compromised
The company discovered unauthorized access to an external data repository containing customer information. This repository existed outside HealthEquity's core network.
Investigations revealed that a compromised vendor account and stolen password facilitated the hacker's entry.
While HealthEquity has declined to name the third-party vendor, this incident underscores the vulnerability of relying on external parties for data management, according to a report by TechCrunch.The breach also highlights the effectiveness of password-stealing malware, which can bypass multi-factor authentication by stealing session tokens.
HealthEquity's Response and Transparency Concerns
HealthEquity maintains that the incident was isolated and unrelated to other high-profile data breaches. However, the company's decision to include "noindex" code on its data breach notification page raises concerns about transparency. This code prevents search engines from indexing the page, making it difficult for affected individuals to find information about the breach.
As the investigation unfolds, it's crucial for HealthEquity to provide clear and timely communication to affected individuals. Protecting customer data should be the utmost priority, and the company must demonstrate its commitment to data security and transparency in the aftermath of this significant breach.
Almost every week, different companies are under attack by the remote hackers. A few weeks ago, MediSecure suffered a massive data breach that was "bigger" than the previous Optus hack in Australia.
According to Tech Times, while the Optus hack affected almost 10 million accounts at the time the MediSecure hack was so serious that the compromised accounts totaled almost 13 million.
What's worse during that time was that some Australians did not have any idea that their accounts were hacked or if any financial assets were stolen from their bank accounts.
Apart from that, authorities said that 6.5 TB of data was exfiltrated by unknown threat actors. Since they were all encrypted within the server, the type of affected data was hard to identify.
Read Also: Traffic Light Security Flaw: Hackers Could Cause Chaos, Says Researcher
