DETROIT – HealthEquity reported an email breach that left the health information of some individuals vulnerable, the company said.
Here is the information from HealthEquity:
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Breach Notification Rule (45 CFR §§ 164.400-414) requires HIPAA covered entities and/or their business associates that experience a breach to provide notice to prominent media outlets serving the state. Accordingly, HealthEquity, Inc. is providing notice to your organization.
HealthEquity has notified individuals potentially impacted by a security incident. A single employee’s email account was accessed by an unauthorized individual that may have culminated in disclosure of protected health information. The incident occurred on April 11, 2018 and was discovered on April 13, 2018. As soon as HealthEquity discovered the incident, the unauthorized individual’s access to the mailbox was eliminated and an investigation was initiated to determine the nature and scope of the event.
HealthEquity engaged a prominent data security forensics firm and confirmed that only one email account belonging to a single HealthEquity employee was compromised as a result of human error. No other HealthEquity systems were impacted or affected. The email account contained protected health information including, for some individuals, one or more of the following: names, emails, HealthEquity member IDs, employer names, HealthEquity employer IDs, healthcare account type (e.g., FSA, DCRA, HCRA, or LPHCRA), deduction amounts and Social Security numbers for some Michigan-based employees. The two companies affected have been notified, and HealthEquity is working to resolve the matter.
While the investigation has found no evidence of actual or attempted misuse of the information, HealthEquity is offering identity theft and credit monitoring services to all who are impacted by this security issue, which will include information to obtain free credit reports and instructions on enabling fraud alerts on their credit files. Law enforcement has been notified and HealthEquity has enhanced the security of its email systems and retrained its employees.
HealthEquity encourages impacted individuals to remain vigilant against incidents of identity theft and fraud by reviewing account statements and credit monitoring reports for suspicious activity. Individuals impacted by this incident will be apprised of the situation and will have access to a dedicated call center provided by HealthEquity through its vendor, ID Experts, to answer any questions (888-262-1560).