Breach Notification , Fraud Management & Cybercrime , Healthcare
Health Benefits Administrator Hack Affects 4.3 Million
Breach Was the Result of a Vendor's Compromised Credentials to Access SharePointHealth benefits administrator HealthEquity, which earlier this month reported to the U.S. Securities and Exchange Commission a hacking incident involving the compromised credentials of a vendor, has now told state regulators that the breach affected the information of 4.3 million individuals.
See Also: Gartner Guide for Digital Forensics and Incident Response
Draper, Utah-based HealthEquity on Friday reported to Maine's attorney general that a hack discovered in March involved unauthorized access to and potential disclosure of protected health information and personal identifiable information stored in an unstructured data repository outside the company's core systems.
Of the 4.3 million people affected, 13,480 are Maine residents, HealthEquity said.
"After receiving an alert, on March 25, 2024, HealthEquity became aware of a systems anomaly requiring extensive technical investigation and ultimately resulting in data forensics until June 10," HealthEquity told Maine's attorney general.
HealthEquity in a statement to Information Security Media Group said the third-party vendor had access to HealthEquity data kept on a SharePoint server (see: Health Benefits Administrator Reports 3rd-Party Hack to SEC).
The incident compromised data of HealthEquity as well as its two subsidiaries - WageWorks, Inc. and Further Operations LLC, the company said. HealthEquity is the custodian of health savings accounts and a directed third-party administrator of flexible savings accounts, health reimbursement arrangements, commuter, COBRA and lifestyle spending account benefits programs.
HealthEquity on its website said more than 120,000 organizations and 14 million members use its benefits management services.
The compromise primarily involved sign-up information for accounts and benefits that HealthEquity administers.
Affected information includes name, address, telephone number, employee ID, employer, Social Security number, dependent information for general contact, and payment card information. The affected card information does not include payment card number or HealthEquity debit card information, the company said.
HealthEquity said that as a result of its investigation, it took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions, blocking all IP addresses associated with threat actor activity and implementing a global password reset for the affected vendor.
"Additionally, we enhanced our security and monitoring efforts, internal controls and security posture," HealthEquity said.
The company is offering affected individuals two years of complimentary identity and credit monitoring.
In its filing to the SEC earlier this month, HealthEquity said that it doesn't consider the event to have a "material adverse effect" on its business, operations or financial results. It also disclosed that it filed a claim with a cyber insurance provider and that it believes the policy should cover incident costs.
HealthEquity declined ISMG's request for additional details pertaining to the incident.
As of Monday, the HealthEquity incident was not yet posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals. But once posted, the HealthEquity incident will potentially rank among the five largest HIPAA breaches reported so far in 2024.
Vendor Risk Grows
The HealthEquity hack joins a long list of large data compromises in the healthcare industry involving supply chain partners and vendors, experts said.
"The use of third parties as an initial access vector is an escalating threat, and this brings third-party risk management directly into focus," said Mike Hamilton, founder and CISO of security Critical Insight.
"Third-party risk management needs to improve and get away from simply collecting documentation on their controls and begin to require that certain controls are in place prior to vendor selection," he said. Using such a market force - especially as part of the procurement process - is likely to be more effective than the techniques we use today to evaluate vendors, Hamilton said.
"Access to data by third parties will continue to be necessary to conduct business, but the methods of access need to be continually evaluated for appropriateness based on need and the threat landscape," said Dustin Hutchison, CISO and senior vice president of services at security firm Pondurance.
"Minimum necessary access for specific users and roles should always be followed and the use of unique user accounts and multifactor authentication for any remote access of data is necessary," he said.
Organizations need to work with their third-party vendors to understand expected user behaviors and detection mechanisms that are available to both parties, Hutchison said.
"A compromised account can often be stopped from accessing additional data when multifactor authentication is also used but the organization should also work with vendors to establish reporting processes to disable accounts in the event of a known compromise. Third-party vendor accounts should be unique to the client system with strong password requirements, including not allowing the reuse of passwords."
Business associates can be dissuaded from using internet-facing file sharing systems, such as SharePoint, Hamilton said. "Or, if that is not possible, ensure that the business associate is using cloud security posture management for continuous evaluation of systems that house PHI and that there is a process for responding to security weaknesses and vulnerabilities identified."
"If PHI is to be stored on an internet-facing system, this must be known to the covered entity, and controls around the confidentiality of that information should be enumerated and then tested periodically - if not continuously," he said.
HIPAA-covered organizations must expand and improve their scrutiny of business associates - especially when they have access to or store PHI on behalf of the organization, Hamilton said.
Good monitoring and detection analytics around behavior is the best way to identify credential abuse, he said. A baseline of statistical behavior can be created for each asset on the network, including users.
"Aberrational behavior can then create an alert for investigation. These aberrations can include login behavior that is too geographically distributed to be possible, for example," he said.
"Covered entities, because of the uptick in third-party compromises, may want to require business associates to perform this type of monitoring, with business associate agreements that include mandatory notification of certain events."
Healthcare sector entities may also want to ensure that conditional access policies are in place for business associates, Hamilton said, "such that extra-national logins are not allowed at all."