Intruders at HealthEquity rifled through storage, stole 4.3M people's data

HealthEquity, a US fintech firm for the healthcare sector, admits that a "data security event" it discovered at the end of June hit the data of a substantial 4.3 million individuals. Stolen details include addresses, telephone numbers and payment data.

The incident began in March but was only detected in June. The company said in a letter to those affected that it received an alert on March 25 about a "systems anomaly requiring extensive technical investigation and ultimately resulting in data forensics" and that work continued until June 26 – the point at which it became aware that criminals had stole sensitive data.

In the company's original Form 8-K filed with the Securities and Exchange Commission (SEC) on July 2, it said no malicious code was found in its systems. There was also no mention of extortion, which suggests this was a straightforward data smash-and-grab job rather than ransomware.

"Once we detected the unauthorized activity, we immediately launched an investigation and engaged third-party experts to determine the nature and scope of the incident," the letter reads. "We learned during our investigation that a vendor's user accounts – which had access to an online data storage location – were compromised and that because of this, an unauthorized party was able to access a limited amount of data stored in a storage location outside our core systems.

"As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor. Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture."

HealthEquity's main offering is health saving accounts (HSAs), which allow individuals to save money and use it tax-free for certain medical expenses. The data compromised includes information collected during the sign-up phase, which was subsequently stolen by the unnamed cybercriminals.

• Secure Boot useless on hundreds of PCs from major vendors after key leak
• Data pilfered from Pentagon IT supplier Leidos
• Rite Aid admits 2.2 million people's data stolen by criminals
• I spy another mSpy breach: Millions more stalkerware buyers exposed

Not all individuals have had the same data types stolen, but they could include any combination of first and last names, home addresses, telephone numbers, employee IDs, employer names, SSNs, general contact information about dependents, and payment card data (does not include card number of HealthEquity debit card information).

HealthEquity said it wasn't aware of any cases where the stolen data has been misused, but has offered everyone affected the usual credit monitoring and identity theft services for two years through Equifax</a.

The incident is one of many targeting the healthcare sector in recent times, but the absence of malware or ransomware is a rare curiosity. 

Healthcare is often seen as a prime target for ransomware given the industry's inherent need to maintain operational uptime, but it's rare to see data theft at a major organization without the miscreants trying to further leverage their access into a larger payout.

Significant cases in recent months include the ALPHV/BlackCat (RIP) attack on Change Healthcare and Qilin's attack on Synnovis, a pathology services provider to major London hospitals.  ®