Personal Information of 4.3 Million Americans Compromised in HealthEquity Data Breach

HealthEquity, a healthcare benefits service provider in the US, disclosed a major data breach last month that affected over 4 million beneficiaries.

The Utah-based health savings account (HSA) administrator says that all 4.3 million people impacted by the incident will be notified by Aug. 9.

What happened?

HealthEquity’s data breach notice filed with the Maine Attorney General’s Office revealed that unauthorized access was discovered on June 26. Following an internal investigation and 8-K filing, it was further revealed that threat actors used the credentials of one of its partners to access sensitive data.

"We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems. On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved."

Affected individuals will receive an official data breach notification by mail or email, depending on the contact preferences they have selected in their accounts.

Compromised data varies per individual, and may include:

· Full names of beneficiaries

· Social Security Numbers

· Home address and telephone number

· Employee IDs and employers

· Dependent information (for general contact information only)

· Health card number and health plan member number

· HealthEquity benefit type, diagnoses, and prescription details

· Payment card information (excludes payment card number)

HealthEquity says it has secured the affected database and disabled all potentially compromised vendor accounts, forcing a global password reset for the impacted partner. Those affected by the breach will receive free identity monitoring and restoration service for 24 months.

What to do after a data breach

In the aftermath of the HealthEquity data breach, victims should take several steps to protect themselves and mitigate potential harm:

· Monitor Accounts: Regularly check HealthEquity accounts, bank accounts, credit card statements, and other financial accounts for unauthorized transactions. Set up alerts for suspicious activity where possible.

· Change Passwords: Even if passwords were not compromised, consider changing the passwords for your HealthEquity account and any other accounts that share the same password. Use strong and unique passwords for each account.  You can also opt for a password manager to generate and store complex passwords.

· Contact Financial Institutions: Notify your bank, credit card companies, and other financial institutions about the HealthEquity breach. Request new credit or debit cards if necessary.

· Check Credit Reports: Obtain free credit reports from major credit bureaus (Experian, TransUnion, Equifax) to check for unauthorized accounts or activities. You may also consider placing a fraud alert or a credit freeze on your credit reports to prevent new accounts from being opened in your name.

· Be Wary of Phishing: Watch out for emails, phone calls or messages claiming to come from HealthEquity or other institutions that are accompanied by requests for personal information, credit card numbers and passwords. Verify the source before clicking on links or providing sensitive information.

· Enroll in Identity Theft Protection Service provided by the HealthEquity.

· Secure Your Devices: Install a security solution on your devices and keep all software and operating systems up to date.

· Stay informed: Check for updates or information from your HAS provider regarding the data breach. Keep records of all communications and steps taken to mitigate the breach, including emails, phone calls, and any expenses incurred.

· Report Identity Theft: Report any signs of identity theft to the Federal Trade Commission (FTC) and your local police department.

Enhance your online security and protect against misuse of compromised personal information with Bitdefender

Bitdefender security solutions provide extensive scam prevention, fraud-fighting services and features that improve digital safety and protect your identity. This includes award-winning online security features alongside scam-busting services such as Scamio, a password manager and digital identity protection.

Take ownership of the digital you and stay on top of data security incidents with our dedicated Digital Identity Protection and Identity Theft Protection (US only) services that combine numerous prevention layers to mitigate potential risks to your identity due to data breaches and leaks.

Find all these features and more in our all-in-one security solutions here.