HealthEquity Data Breach: A Wake-Up Call for Robust Third-Party Risk Management

HealthEquity Data Breach: 4.5 Million Affected in Major HSA Provider Incident

HealthEquity, a Utah-based health savings account (HSA) provider, has revealed a data breach impacting 4.5 million customers nationwide. The breach, disclosed in a notice filed with Maine’s attorney general, occurred in March 2024 and resulted from a hack of an external data repository managed by a third-party, according to a spokesperson.

Additionally, the company stated that “the hacker managed to breach an unstructured data repository outside our core systems.” The spokesperson declined to offer further details on the topography or supply chain implications, noting only that this incident was not related to the recent Snowflake Enterprise Data Warehouse (EDW) breach. They also confirmed that internal systems, “including transactional platforms and integrations,” were not impacted.

HealthEquity’s Quick Response to Unauthorized Access

Unauthorized access to this data occurred on March 9, 2024. The first indication of the attack came on March 25, 2024, via an alert from one of HealthEquity’s Managed Security Service Providers (MSSPs), following the unusual activity detected in the environment. Health Equity states that immediate action was taken upon receiving the alert from an MSSP vendor, the issue was resolved quickly, and the attacker’s access was removed prior to an “extensive technical investigation and … data forensics” effort that lasted through June 10, 2024.  It was reiterated that the data breached was from a data repository outside of the core system.

Exposed Data Increases Risk of Social Engineering Attacks

The stolen personally identifiable information (PII) included a mix of benefits sign-up information, which varied by customer. The exposed HealthEquity data may include names, contact information, Social Security numbers (SSNs), employer information, health plan details, diagnoses, prescription information, HealthEquity benefits, and account details. Additionally, payment card details, excluding card numbers, may also have been compromised, according to the breach notice. This type of information provides attackers with ample opportunities for social engineering and targeted attacks.

Erich Kron, a security awareness advocate at KnowBe4, noted that “by referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims,” in an emailed statement.

The Critical Need for Third-Party Risk Management & Data-Centric Security Techniques

Data breaches like this highlights the importance of implementing a comprehensive vetting process for an organization’s third-party vendors, particularly those with hybrid storage footprints. Additionally, regular reviews of the vendor’s security posture – using verifiable resources, such as third-party audits – and enforcing strict security standards through robust agreements are crucial for safeguarding your organization.

Moreover, prioritizing data-centric security techniques — such as encryption, tokenization, and secure access controls — is essential to protecting sensitive information effectively. Organizations today must understand that their security posture is directly linked to the practices of their third-party vendors and service providers. By focusing on securing the data itself and not only the network, organizations can also reduce the risk of exposure and limit the impact of breaches if, (and most likely, when) they occur.

How Wolf Can Assist

For businesses seeking to enhance their security posture and protect against third-party risks, our expert team is here to help. By delivering customized, high-level cybersecurity guidance, we ensure your business stays secure, compliant, and resilient against emerging threats – contact us today to learn more.