HSA provider HealthEquity has determined that a cybersecurity incident disclosed earlier this month has compromised the information of 4,300,000 people.

HealthEquity, one of the largest HSA custodians in the U.S., specializes in providing health savings accounts (HSAs), flexible spending accounts (FSAs), health reimbursement arrangements (HRAs), and 401(k) retirement plans.

In a Form 8-K filing submitted on July 2, 2024, the company disclosed that threat actors stole members’ sensitive health data using a partner’s compromised credentials.

An investigation determined that the breach occurred on March 9, 2024, but was only verified by the firm on June 26, following an internal investigation.

“We discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” reads the data breach notice to be distributed to impacted individuals on August 9, 2024.

“On June 26, 2024, after validating the data, we unfortunately determined that some of your personal information was involved.”

The data that has been exposed as a result of this breach varies per individual and includes:

• Full names
• Home address
• Telephone number
• Employer and employee ID
• Social Security Number (SSN)
• General dependent information
• Payment card information (not numbers)

The breached data repository, which HealthEquity clarified is outside its core systems, has now been secured by terminating unauthorized sessions and blocking IP addresses associated with the intruders.

Also, the firm implemented a global password reset for the vendor whose account was breached and later used to access the remote database.

Recipients of the data breach notifications will also receive a two-year credit monitoring and identity theft protection service through Equifax, with enrollment instructions in the letters.

Impacted individuals are advised to remain vigilant, review their account statements to identify suspicious activity, and log into their HealthEquity account to confirm that their personal profile and contact information are correct.

Currently, no threat actors have assumed responsibility for the attack at HealthEquity, and the stolen data has not been leaked online.