HealthEquity has announced a data breach impacting 4.3 million individuals, involving their personal and sensitive health details, following a security incident in March.
The official notification issued to the Maine attorney general by the Utah-headquartered benefits management firm revealed that the extent of data exposure varies by individual but predominantly covers registration details and benefits managed by them.
According to HealthEquity, compromised information could include clients’ names, addresses, contact numbers, Social Security numbers, details about their employment and dependents, alongside certain payment card data.
HealthEquity, serving employees nationwide by facilitating access to employer-provided benefits like health savings accounts and commuter benefits, reported managing over 15 million total customer accounts during its February financial disclosure, as seen on its investor relations page.
The breach was uncovered when unauthorized activity was detected in an external “unstructured data repository” housing sensitive client and health information, a portion of which includes diagnostic and prescription data, as disclosed by the company.
This security lapse occurred due to the compromise of a vendor user account, leading to the theft of a password that facilitated unauthorized data access, HealthEquity explained in its advisory.
Upon request for additional details, HealthEquity refrained from identifying the implicated third-party supplier. It has, however, previously indicated to TechCrunch that the breach was linked to an account with access to HealthEquity’s SharePoint data, hinting at an exploitation of Microsoft SharePoint’s functionalities for internal collaboration.
This incident mirrors security challenges faced by other organizations like Activision, Snowflake, and Worldcoin, where insider credential theft, particularly via password-stealing malware, played a pivotal role. Such malware not only retrieves stored passwords but can occasionally circumvent multi-factor authentication protections by capturing session tokens, thereby granting attackers seamless network entry under the guise of a legitimate employee.
Stacie Saltzgiver, a spokesperson for HealthEquity, described the breach as a “standalone event,” distinctly separating it from other high-profile data compromises, including those involving the cloud infrastructure provider Snowflake.
Furthermore, HealthEquity has issued an online notice about the breach. Notably, when reviewed by TechCrunch, the notification page was found to carry a “noindex” directive intended to prevent search engines from indexing the page, thus hindering the discoverability of the breach notice through online search platforms.
The inclusion of the “noindex” code remained unaddressed by the company’s representative when queried by TechCrunch.
Compiled by Techarena.au.
Fanpage: TechArena.au
Watch more about AI – Artificial Intelligence
