HealthEquity, a leading provider of health savings account (HSA) services, has announced it suffered a data breach recently, resulting in compromised customer protected health information (PHI).
It is understood the breach was detected on March 25, 2024, after abnormal activity was flagged from a business partner’s device. Once an investigation was carried out, it was revealed that a threat actor had accessed and exfiltrated data from HealthEquity’s SharePoint system.
HealthEquity mobilised and launched a forensic investigation to determine the impact of the breach and to action mitigation and remediation steps.
It has been confirmed that no malware was discovered and business operations remained unaffected but the accessed data did include personally identifiable information (PII) and PHI. HealthEquity has begun the process to notify individuals that may have been affected and is offering complimentary credit monitoring and identity restoration services.
Upon hearing the news, this has been the reaction from the cybersecurity industry:
Erich Kron, security awareness advocate at KnowBe4:
“Unfortunately, the theft of PHI can be very detrimental to those impacted, as there is a lot of sensitive information, including social security numbers and in many cases information about procedures or ailments that may be embarrassing. It is also information that can be used for subsequent social engineering attacks. By referencing a procedure or test that an individual might think is private and known only to medical professionals, bad actors can more easily build trust with potential victims.
This is also a lesson in the protection of data outside of the most common systems. It is not unusual to find that employees have used tools such as spreadsheets to collect information and process it without the knowledge of the IT and security staff. This is often not malicious but done to make work easier and more efficient, however these additional copies of data are difficult to protect if they are unknown.
Organizations that deal with PHI or significant amounts of PII should ensure that employees are educated and trained about the proper handling of sensitive information. A good security culture, with employees considering the security implications of data duplication, is an important step toward reducing or eliminating situations such as this.”
Erfan Shadabi, cybersecurity expert at comforte AG:
“Organizations are only as secure as their weakest link. This breach, stemming from a compromised third-party vendor account, highlights the urgent need for rigorous vetting and continuous monitoring of all third-party relationships. The increasing frequency of third-party data breaches necessitates a proactive approach to security. Companies must adopt comprehensive vetting processes, regular audits, and robust contractual agreements to enforce strict security standards. Prioritizing data-centric security techniques—such as encryption, tokenization, and secure access controls—is essential to safeguard sensitive information effectively. Organizations must recognize that their security posture is intricately linked to the practices of their third-party vendors. By focusing on securing data itself and not just the network, companies can reduce the risk of exposure and limit the impact of breaches when they occur.”
Sergio Figueroa Santos, senior security consultant at the Synopsys Software Integrity Group:
“Recent security incidents have brought to light a complex chicken and egg issue lurking at the bottom of our modern digital systems: their complexity has grown to such an extent that it becomes practically impossible to operate productive systems without relying on third party services and solutions. Examples of such services include remote backups, outsourced data processors, and applications required for compliance reasons.
“These dependencies are sensitive but hard to secure. Even when an application is deemed secure, its data could leak through a data backup. Perhaps the backup service provider had access to it and decided to snoop, or perhaps the access control to the backup was not tightly controlled. Unfortunately, in many security activities, these external services can be blurred as “implementation details” or “part of someone else’s scope,” which effectively means that responsibility falls through everyone’s hands like sand. And even when someone picks up the burden, it is a tall order. The main reason for this is that service providers seldom have incentives to adjust their behaviour after a contract is signed, which means that any security-relevant requirements must be agreed before that point.
“There are several technical mechanisms that can reduce the risks of specific attacks. For example, data encryption controlled by the owners of the application could reduce the risk of a malicious service provider peeking over the data. Or an effective log monitoring strategy can flag malicious attempts to read the data. But the essence of the issue comes back to an adage that is an old favourite of the security community: the chain breaks by its weakest link. If the security of your service provider is not at least as robust as your own, that service that you expected to give you peace of mind will become a liability. Work with your providers to ensure you understand their security practices because even if a security incident happens because of them, it is your name that will make the headlines.”