Phishing Attack on HealthEquity Potentially Compromised Members’ PHI

HealthEquity Inc based in Draper, UT, suffered a phishing attack which resulted in the protected health information of its members being compromised. Only one email account was accessed by unauthorized individuals, but investigation of the email messages showed a range of PHI could potentially have been obtained – information such as members’ names, HealthEquity member ID numbers, email addresses, employer names, employer ID numbers, health account type and deduction amounts. The Social Security numbers of some Michigan-based employees were also potentially exposed.

HealthEquity discovered the breach on April 13, 2018 and immediately terminated access to the compromised email account; however, the attacker had access to the account for 48 hours, during which time the messages may have been opened or copied. Third-party computer forensics experts were called upon to assist with the investigation and while PHI theft was not confirmed, it could not be ruled out with total certainty. As a precautionary measure, HealthEquity has offered free credit monitoring and identity theft protection services via ID Experts to all persons affected by the phishing attack. Those services have been offered, free of charge, for five years.

HealthEquity has sent breach notifications to all affected individuals. A media notice was issued through a prominent media outlet, ClickOnDetroit, within the 60 days breach notification period as required by HIPAA.

The Department of Health and Human Services’ Office for Civil Rights was notified and the breach summary published on its website indicates 16,000 individuals were impacted by the breach.

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/