Massive Data Breach Exposes Sensitive Data of More Than 4 Million Americans

Penka Hristovska
Penka Hristovska Senior Editor
Penka Hristovska Penka Hristovska Senior Editor

More than 4.3 million Americans have had their personal data stolen by hackers after HSA provider HealthEquity suffered a data breach. The stolen information consisted of sign-up information for the accounts and benefits it manages.

The exposed data may include details in one or more of the following categories: first and last names, addresses, telephone numbers, employee IDs, employers, Social Security numbers, health card numbers, health plan member numbers, dependent contact information, HealthEquity benefit types, diagnoses, prescription details, payment card information (excluding payment card numbers), and/or HealthEquity account types.

It’s important to note that not every data category was compromised for every member.

In a Form 8-K filing with the SEC at the start of July, HealthEquity disclosed that hackers accessed sensitive health data using compromised credentials from one of its partners. The company first detected the system anomaly on March 25, with the investigation continuing until June 10. HealthEquity only confirmed the extent of the intrusion at the end of June.

“We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems. On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved.”

HealthEquity has since secured the compromised database and disabled all potentially affected vendor accounts, blocking all IP addresses associated with the hack, and implementing a global password reset for the impacted partner. The company is now offering those affected by the breach 24 months of free identity monitoring and restoration services.

HealthEquity says it’s still in the process of notifying customers that have been affected by the breach. It explained that all Impacted individuals will be notified by mail or email, depending on their account communication preferences. It’s expected that everyone impacted will be officially notified by Aug. 9.

About the Author
Penka Hristovska
Penka Hristovska
Senior Editor

About the Author

Penka Hristovska is an editor at SafetyDetectives. She was an editor at several review sites that covered all things technology — including VPNs and password managers — and had previously written on various topics, from online security and gaming to computer hardware. She’s highly interested in the latest developments in the cybersecurity space and enjoys learning about new trends in the tech sector. When she’s not in “research mode,” she’s probably re-watching Lord of The Rings or playing DOTA 2 with her friends.

Leave a Comment