3rd Party Risk Management , Governance & Risk Management , Healthcare
Health Benefits Administrator Reports 3rd-Party Hack to SEC
HealthEquity Says a Vendor's Compromised Credentials Led to Data Theft BreachHealthcare benefits plan administrator HealthEquity said hackers obtained sensitive data in a breach involving compromised credentials held by a third-party vendor. The incident did not disrupt company IT systems.
See Also: Using the Netskope HIPAA Mapping Guide
In a Tuesday filing with U.S. federal regulators, HealthEquity said the company "became aware, through routine monitoring, of anomalous behavior by a personal use device belonging to a business partner."
The company concluded that the third-party vendor's user account had been compromised by an unauthorized actor, who used that account to access information.
Some data was also determined to have been "transferred off the partner's systems." Information affected includes personal identifiable information and protected health information pertaining to certain HealthEquity benefits members.
The incident did not cause interruption to HealthEquity's IT systems, services or business operations, and no malicious code was found in HealthEquity's systems, the company said.
HealthEquity is in the process of notifying affected partners and clients, as well as identifying and notifying individual members whose information was affected by the incident.
It told the U.S. Securities and Exchange Commission that it doesn't consider the event to have a "material adverse effect" of its business, operations, or financial results. It also disclosed filing a claim with a cyber insurance provider and its belief the policy should cover incident costs.
Draper, Utah-based HealthEquity on its website said more than 120,000 organizations and 14 million members use its benefits management services.
HealthEquity in a statement to Information Security Media Group said the third-party vendor had access to HealthEquity data kept on a SharePoint server.
As of Friday, the HealthEquity incident did not appear posted on the U.S. Department of Health and Human Services' HIPAA Breach Reporting Tool website listing health data breaches affecting 500 or more individuals.
Another HealthEquity Incident, in Kentucky
In a separate, unrelated HealthEquity incident, Kentucky Gov. Andy Beshear's personnel cabinet office in a June 21 statement said that it had been notified by the firm on May 14 that 449 individuals participating in the Kentucky employees' health plan was affected by a data security incident at the company.
HealthEquity administers flexible spending accounts and health reimbursement arrangements on behalf of the Kentucky employees' health plan. Kentucky's statement said HealthEquity determined the "potential fraud event" was presumed to involve "bad actors" who accessed the members' accounts with the aim of receiving money from claim reimbursements.
"No personal identifying information, including Social Security numbers or bank account numbers, is known to have been compromised," the statement says.
"Although the HealthEquity member portal masks personally identifiable information and existing bank account information, it does provide the ability to view previously submitted reimbursement claims, which may contain PHI and/or PII," the Kentucky government's statement says.
"However, no evidence supports that the bad actors viewed any prior claims documentation in the affected account."
HealthEquity is investigating whether any claim reimbursements were fraudulently submitted or redirected, and has pledged to restore any member accounts to the prior balance if the firm determines that any HRA or FSA member funds were affected, the statement says.
There is there no evidence that the state's human resources IT systems or data was compromised in the incident, it says.
HealthEquity told ISMG that the breach reported to the SEC involving the third-party compromise HealthEquity is an "isolated incident" and unrelated to the Kentucky incident.