HealthEquity is notifying 4.3 million individuals that their personal and health information was compromised in a data breach at a third-party vendor.
The incident, the company said in a regulatory filing with the Maine Attorney General’s Office, was identified on March 25 and required an “extensive technical investigation”.
“Through this work, we discovered some unauthorized access to and potential disclosure of protected health information and/or personally identifiable information stored in an unstructured data repository outside our core systems,” HealthEquity said.
According to the company, the data was exposed after attackers compromised a vendor’s user accounts that had access to the online repository, gaining access to the information stored there.
“We took immediate actions including disabling all potentially compromised vendor accounts and terminating all active sessions; blocking all IP addresses associated with threat actor activity; and implementing a global password reset for the impacted vendor,” the company said.
Depending on the individual, the impacted personally identifiable information (PII) and protected health information (PHI) may include name, address, phone number, Social Security number, employee ID, employer, dependent information, and payment card information.
HealthEquity also said that the compromised data mainly included sign-up information for the accounts and benefits it administers.
The company did not name the compromised vendor, but told the Maine AGO that it will mail notification letters to roughly 4.3 million people starting August 9.
HealthEquity is providing the impacted individuals with two years of free credit identity monitoring, insurance, and restoration services and is encouraging them to monitor their accounts for suspicious activity.
“We are not aware of any actual or attempted misuse of information because of this incident to date,” the company said.
Related: 57,000 Patients Impacted by Michigan Medicine Data Breach
Related: MediSecure Data Breach Impacts 12.9 Million Individuals
Related: MarineMax Notifying 123,000 of Data Breach Following Ransomware Attack
Related: MNGI Digestive Health Data Breach Impacts 765,000 Individuals