Phishing Attack on HealthEquity Potentially Compromised Members’ PHI

HealthEquity Inc based in Draper, UT, suffered a phishing attack which resulted in the protected health information of its members being compromised. Only one email account was accessed by unauthorized individuals, but investigation of the email messages showed a range of PHI could potentially have been obtained – information such as members’ names, HealthEquity member ID numbers, email addresses, employer names, employer ID numbers, health account type and deduction amounts. The Social Security numbers of some Michigan-based employees were also potentially exposed.

HealthEquity discovered the breach on April 13, 2018 and immediately terminated access to the compromised email account; however, the attacker had access to the account for 48 hours, during which time the messages may have been opened or copied. Third-party computer forensics experts were called upon to assist with the investigation and while PHI theft was not confirmed, it could not be ruled out with total certainty. As a precautionary measure, HealthEquity has offered free credit monitoring and identity theft protection services via ID Experts to all persons affected by the phishing attack. Those services have been offered, free of charge, for five years.

HealthEquity has sent breach notifications to all affected individuals. A media notice was issued through a prominent media outlet, ClickOnDetroit, within the 60 days breach notification period as required by HIPAA.

The Department of Health and Human Services’ Office for Civil Rights was notified and the breach summary published on its website indicates 16,000 individuals were impacted by the breach.