A company that handles millions of health savings accounts (HSAs) has suffered a data breach in which the information of 23,000 was compromised.
On 11 April, the email account of a HealthEquity employee was accessed by an unauthorized person. Two days later, the malicious activity was discovered, at which point the Utah-based firm – a custodian of more than 3.4 million HSAs – expunged the mailbox and contacted a forensics firm. HealthEquity has reportedly offered five years of credit monitoring and identity theft protection in response to the incident.
Health Data Management reported that the information compromised via the email account included not only the names of members but also their HealthEquity member IDs, along with the names of their employers and their employers' HealthEquity IDs. Also included in the stolen data were various types of healthcare accounts, deduction amounts and Social Security numbers for some Michigan employees.
“The healthcare industry is a growing target for cyber-attacks because of the highly valuable information stored within these organizations," said Tim Erlin, VP product management and strategy, Tripwire.
“The biggest risk for those affected is identity theft, given that Social ecurity numbers were compromised," Erlin continued. "HealthEquity seems to realize this fact and as offered identity theft monitoring services in addition to the usual credit monitoring. The fact that this breach was detected two days after it occurred is notable and a sign that HealthEquity was paying attention.”
News of the breach comes only days after Cynerio published new research, Healthcare Hacking Trends on the Dark Web. Released 11 June, the research found that the buying and selling of protected health information is a troubling problem in dark web marketplaces.
The healthcare industry is one of the most frequently targeted sectors, as cyber-criminals exploit known weaknesses where they can gain access to highly sensitive information that has great value on the dark web.
"The fact that healthcare providers’ databases can be hacked, dumped and sold to the highest bidder (with the lowest morals), is quite troubling," the report states. "Healthcare systems store some of the most sensitive and private information about us, and this information is exposed to a wide range of cyber-attacks on a huge attack surface."