HealthEquity has revealed that a data breach at a third-party vendor compromised the personal and health information of 4.3 million individuals. The breach, identified on March 25, exposed protected health information (PHI) and personally identifiable information (PII) stored in an unstructured data repository outside of HealthEquity’s core systems. Attackers gained access by compromising vendor user accounts, leading to the unauthorized disclosure of sensitive information such as names, addresses, Social Security numbers, employee IDs, and payment card details.
In response, HealthEquity took immediate action to secure the compromised accounts, terminate active sessions, block associated IP addresses, and reset passwords globally for the affected vendor. Starting August 9, the company will notify the impacted individuals and offer two years of free credit identity monitoring and restoration services. HealthEquity assures that, so far, there has been no evidence of misuse of the compromised data.