HealthEquity Phishing Attack Affects the PHI of 190,000 People

HealthEquity is informing 190,000 people about the exposure of some of their protected health information (PHI) because of a phishing attack.

HealthEquity is a company based in Utah that offers services to clients seeking to obtain tax advantages to counter healthcare expenses, either through employers or health plans. The company provides services such as health savings accounts (HSAs), limited purpose flexible spending arrangements (FSAs), health FSAs and dependent care reimbursement accounts (DCRAs). In providing the mentioned services, HealthEquity gets access to PHI, which is sometimes shared through email.

On October 5, 2018, HealthEquity’s security department found out that an unauthorized person accessed two Office 365 email accounts. Upon investigation of the cyberattack, HealthEquity confirmed on October 20, 2018 that two of its employees’ email accounts were compromised. The breached email accounts were used to provide services and contained the employees and clients’ sensitive personal data.

The investigation established that the unauthorized third party accessed one of the email accounts on October 5, 2018. The second email account was initially breached on September 4, 2018 and the unauthorized person subsequently accessed it again on several occasions until October 3, 2018.

While the investigation verified the unauthorized access of the accounts, it is not determined if any email in the accounts were accessed, viewed or copied. So far, there’s no report that information was misused in any way.

The following PHI were potentially accessed by the attacker: names, account types, employer names, health plan names and Social Security numbers.

A lot of breached covered entities that discover the compromise of highly sensitive PHI offer free credit monitoring and identity theft protection services to victims. Usually, the services are offered for one year or for 24 months though the latter does not happen frequently. HealthEquity decided to offer the breach victims five years of those services through MyIDCare without charge along with a $1,000,000 insurance reimbursement policy.

Aside from the extended protection offered to breach victims, HealthEquity improved its email security and updated its security procedures. Employees underwent further training about the implementation of extra technical security controls. Monitoring of email accounts was enhanced to identify suspicious activity quickly.