3rd Party Risk Management , Governance & Risk Management , Healthcare

Health Benefits Administrator Reports 3rd-Party Hack to SEC

HealthEquity Says a Vendor's Compromised Credentials Led to Data Theft Breach
Health Benefits Administrator Reports 3rd-Party Hack to SEC
Image: Getty

Healthcare benefits plan administrator HealthEquity said hackers obtained sensitive data in a breach involving compromised credentials held by a third-party vendor. The incident did not disrupt company IT systems.

See Also: Securing Healthcare: Minimizing Risk in an Ever-Changing Threat Landscape

In a Tuesday filing with U.S. federal regulators, HealthEquity said the company "became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner."

The company concluded that the third-party vendor's user account had been compromised by an unauthorized actor, who used that account to access information.

Some data was also determined to have been "transferred off the partner's systems." Information affected includes personal identifiable information and protected health information pertaining to certain HealthEquity benefits members.

The incident did not cause interruption to HealthEquity's IT systems, services or business operations, and no malicious code was found in HealthEquity's systems, the company said.

HealthEquity is in the process of notifying affected partners and clients, as well as identifying and notifying individual members whose information was affected by the incident.

It told the U.S. Securities and Exchange Commission that it doesn't consider the event to have a "material adverse effect" of its business, operations, or financial results. It also disclosed filing a claim with a cyber insurance provider and its belief the policy should cover incident costs.

Draper, Utah-based HealthEquity on its website said more than 120,000 organizations and 14 million members use its benefits management services.

HealthEquity in a statement to Information Security Media Group said the third-party vendor had access to HealthEquity data kept on a SharePoint server.

As of Friday, the HealthEquity incident did not appear posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.

Another HealthEquity Incident, in Kentucky

In a separate, unrelated HealthEquity incident, Kentucky Gov. Andy Beshear's personnel cabinet office in a June 21 statement said that it had been notified by the firm on May 14 that 449 individuals participating in the Kentucky employees' health plan was affected by a data security incident at the company.

HealthEquity administers flexible spending accounts and health reimbursement arrangements on behalf of the Kentucky employees' health plan. Kentucky's statement said HealthEquity determined the "potential fraud event" was presumed to involve "bad actors" who accessed the members' accounts with the aim of receiving money from claim reimbursements.

"No personal identifying information, including Social Security numbers or bank account numbers, is known to have been compromised," the statement says.

"Although the HealthEquity member portal masks personally identifiable information and existing bank account information, it does provide the ability to view previously submitted reimbursement claims, which may contain PHI and/or PII," the Kentucky government's statement says.

"However, no evidence supports that the bad actors viewed any prior claims documentation in the affected account."

HealthEquity is investigating whether any claim reimbursements were fraudulently submitted or redirected, and has pledged to restore any member accounts to the prior balance if the firm determines that any HRA or FSA member funds were affected, the statement says.

There is there no evidence that the state's human resources IT systems or data was compromised in the incident, it says.

HealthEquity told ISMG that the breach reported to the SEC involving the third-party compromise HealthEquity is an "isolated incident" and unrelated to the Kentucky incident.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing cuinfosecurity.com, you agree to our use of cookies.