HealthEquity, Inc. notifying 190,000 after two employee email accounts were hacked

Reading a notification that employee email accounts were hacked and customer or patient information may have been accessed is nothing particularly unusual these days. What is a bit surprising, however, is when a breached entity offers those affected five years worth of credit monitoring, remediation, and other services. And that’s exactly what HealthEquity, Inc. is doing.

According to the letter to the California Attorney General’s Office from their external counsel, the Utah-headquartered firm,

either directly or in association with employers and health plans, provides services designed to give individuals tax advantages to offset health care costs, including health savings accounts (“HSAs”), health reimbursement arrangements (“HRAs”), health flexible spending arrangements (“FSAs”), limited purpose FSAs (“LPFSAs”), and dependent care reimbursement accounts (“DCRAs”). HSAs are individual custodial accounts, and HRAs, FSAs, LPFSAs, and DCRAs are employer plans (see, e.g., IRS Publication 969).

The incident being reported involved individuals with those types of plans as well as some employees of HealthEquity, whose health plan enrollment information was potentially accessed.

According to a notification to the California Attorney General’s Office, on October 5, HealthEquity’s information security team identified unauthorized logins to two HealthEquity employees’ email accounts.  One of the accounts was accessed on October 5, and the other account was accessed on various occasions between September 4, 2018 and October 3, 2018.

The investigation was unable to conclusively rule out – or rule in – whether the attacker actually accessed and viewed emails in those accounts that contained personal and/or protected health information.

HealthEquity is sending four different versions of its notification letter to individuals to match the PII that may have been exposed for the individual:

• Recipients of Version A had an account administered by HealthEquity and may have had their name and Social Security number exposed. 3,784 California residents are being sent that type of notification.
• Recipients of Version B had an account administrated by HealthEquity and may have had their name, Social Security number, account type (HSA, HRA, FSA, LPFSA, DCRA), and employer’s name exposed. This version was drafted in conjunction with a health plan partner. 5,972 California residents are being sent this type notification.
• Recipients of Version C had an account administered by HealthEquity and may have had their name, Social Security number, account type (HSA, HRA, FSA, LPFSA, DCRA), and associated employer or plan exposed. This version was drafted in conjunction with a health plan partner. 11,142 California residents are being sent this type of notification.
• Recipients of Version D are employees or former employees (and their dependents) of HealthEquity whose health plan enrollment data may have been exposed. Eight California residents are being sent this type of notification.

Apart from the approximately 21,000 California residents, the notification did not indicate how many people, nationwide, are being notified.  HealthEquity provided DataBreaches.net with the following statement to address that question:

HealthEquity is committed to protecting the privacy of the individuals we serve. We sincerely regret this recent attack. While the results of our forensic investigation have found no evidence of actual or attempted misuse of the information, we are offering five years of free identity theft and credit monitoring services to all affected individuals. We are also implementing additional security protocols to help prevent this from occurring in the future. While the attack was limited to access through two Microsoft Outlook 365 email accounts and none of HealthEquity’s systems were accessed or impacted, we continue to be vigilant and proactive in protecting the personal information of the individuals we serve.

Through a third-party forensic research team, we have discovered that approximately 190,000 may have been impacted. We have begun notifying these individuals and offering 5-year credit monitoring services.

Their statement to DataBreaches.net mirrors their letter to those affected, where they write:

We are offering identity theft protection services through ID Experts®, a data breach and recovery services expert, to provide you with MyIDCareTM. MyIDCare services include: 5 years of credit monitoring, Cyberscan dark web monitoring, a $1,000,000 insurance reimbursement policy, and fully managed identity theft recovery services. With this protection, MyIDCare will help you resolve issues if your identity is compromised.

In addition, HealthEquity has set up a call center and website through ID Experts to address any questions or concerns from impacted individuals.

The letter to those affected, signed by HealthEquity President and CEO Jon Kessler, adds:

HealthEquity has adopted enhanced security practices to prevent a similar incident from occurring in the future, including the implementation of additional technical security measures and retraining and reeducation of its workforce, and is actively monitoring accounts for any suspicious activity.

[…]

We sincerely apologize for this incident and are working hard to make it right.

So far, they certainly are doing what appears to be an admirable job of being transparent and supportive.

Update: When this incident appeared on HHS’s public breach tool, the report indicates that on November 17, they reported to HHS that 165,800 were impacted, so it’s not clear which is the correct number at this point.

But of note, and as reflected in the comments under this post, this was the second incident of this kind this year. So whatever steps HealthEquity is taking, I hope those steps include preventing employees from retaining so much PHI and PII in their email accounts.