US firm HealthEquity has revealed that a data breach earlier this year led to the compromise of personal and financial information on millions of customers.
A filing with the Maine Office of Attorney General (OAG) revealed the incident occurred on March 9 but was not confirmed by the company until June 26.
Some 4.3 million customers are affected by the breach, with notification letters due to be sent out on August 9. The firm already notified the SEC about the incident, back on July 2.
As a health savings account (HSA) specialist, HealthEquity has access to a range of protected health information (PHI) and personally identifiable information (PII).
Read more on HealthEquity breaches: 23,000 Individuals Affected in HealthEquity Breach
Although not all data types were compromised for each affected customer, compromised information included: first name, last name, address, telephone number, employee ID, employer, social security number, dependent contact information and payment card information (although not payment card number or HealthEquity debit card information).
“After receiving an alert, on March 25, 2024, HealthEquity became aware of a systems anomaly requiring extensive technical investigation and ultimately resulting in data forensics until June 10, 2024,” the breach notification read.
“Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems.”
During its investigation, HealthEquity discovered that the breach stemmed from the compromise of “a vendor’s user accounts – which had access to an online data storage location,” according to the notification.
“Because of this, an unauthorized party was able to access a limited amount of data stored in a storage location outside our core systems,” it added.
“As a result of our investigation, we took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor. Additionally, we enhanced our security and monitoring efforts, internal controls, and security posture.”