HealthEquity, a custodian of more than 3.4 million health savings accounts, has had a data breach after one employee’s email account was accessed by an unauthorized person.
Two companies in Michigan that receive services from Draper, Utah-based HealthEquity were affected by the breach, and 23,000 individuals at those companies have been offered five years of credit monitoring and identity theft protective services from ID Experts.
HealthEquity also handles flexible spending accounts, 401(k) accounts and health reimbursement arrangements, providing a range of services for about 40,000 companies,
That’s a long time to provide credit monitoring and identity protection, as most organizations offering protection offer one year, with some providing two years. But HealthEquity wants its customers to know that their well-being is paramount, says Joel Johnson, senior vice president of audit and risk management.
The incident occurred on April 11 and was discovered two days later. The email of a single employee was accessed by a bad actor, according to Johnson. After the access was discovered, access to the mailbox was eliminated, and a forensics firm investigation confirmed that no other Health Equity systems were affected.
Compromised protected health information in the email included employee names, HealthEquity member IDs, employer names, HealthEquity employer IDs, various types of healthcare accounts, deduction amounts and Social Security numbers for some Michigan-based employees.