- An email hack on two employee email accounts potentially breached the personal data of 190,000 HealthEquity customers. HealthEquity provides health savings accounts and similar services to more than 3.4 million individuals.
This is the second breach reported by HealthEquity this year. In June, an unauthorized user hacked into an employee’s email account and breached the data of 16,000 customers.
The most recent breach is similar to the June hack. HealthEquity’s security team discovered breach on October 5, where an unauthorized user accessed two employee accounts.
An investigation found the first email account was hacked on October 5, and the other account was breached on multiple occasions between September 4 and October 3.
In an emailed statement to HealthITSecurity.com, officials said hackers exploited an email configuration error to bypass the multi-factor and device authentication through a “sophisticated method.”
“Within hours of the attack, we reset passwords, corrected the error and engaged a forensics firm,” officials said. “While the attack was limited to two email boxes, and none of our other systems were accessed, we remain vigilant and proactive in protecting the personal information of our members.”
Those email accounts contained the protected health information, as HealthEquity uses email to communicate HSA needs. The impacted data included names, health savings plan types, Social Security numbers, employer names and health plan names.
There are four different versions of notification letters sent to the Californian individuals impacted by the breach, which were obtained by DataBreaches.net.
The first version went out to about 3,700 Californians to notify them their Social Security number was breached in the event. The second version told nearly 6,000 Californians their employer name was included. For about 11,100 Californians, Social Security numbers, account types and employers were included. Enrollment data was breached for just eight Californians.
While healthcare organizations typically provide a year of free credit monitoring, in a rare move, the health savings trustee is offering victims five years of free credit monitoring and identity theft protection services and a $1 million insurance reimbursement policy.
“HealthEquity has adopted enhanced security practices to prevent a similar incident from occurring in the future, including the implementation of additional technical security measures and retraining and reeducation of its workforce, and is actively monitoring accounts for any suspicious activity,” HealthEquity President and CEO Jon Kessler said in a statement.
“We sincerely apologize for this incident and are working hard to make it right,” he added.
This is the second massive breach reported this week. New York Oncology Hematology is notifying 128,400 employees and patients that their patient data may have been breached, after 15 employees fell victim to a phishing campaign in April.
This story has been updated with an official statement from HealthEquity.