HealthEquity states that the data breach is an ‘isolated incident’

HealthEquity, a health tech services provider, disclosed on Tuesday that it experienced a data breach involving the theft of “protected health information” (PHI) belonging to some of its customers. The incident was detailed in an 8-K filing with the SEC, where the company reported detecting anomalous behavior linked to a personal use device associated with a business partner. Subsequent investigations revealed that the partner’s account had been compromised, allowing unauthorized access to member information.

According to HealthEquity spokesperson Amy Cerny, the breach was identified on March 25, prompting immediate actions to resolve the issue and initiate extensive data forensics, which concluded by June 10. The company assembled a team of external and internal experts to investigate the breach and prepare a response. Investigations determined that the breach occurred through the compromised third-party vendor account, which accessed some of HealthEquity’s SharePoint data.

Cerny emphasized that this incident was isolated and not connected to recent high-profile breaches like that of Change Healthcare, which is owned by UnitedHealth Group. In May, UnitedHealth CEO Andrew Witty acknowledged a significant breach affecting a large number of Americans during a House hearing.

HealthEquity’s disclosure underscores ongoing cybersecurity challenges faced by healthcare organizations, particularly concerning third-party vendor risks and the protection of sensitive health information.