June 17, 2018
HealthEquity Inc. has been struck by a phishing attack resulting in the disclosure of members’ PHI. The data breach was limited to one electronic mail account, even though an analysis of the messages in the account indicated a variety of PHI was possibly thieved by the attacker.
Information probably retrieved in the attack was limited to names, deduction figures, health account type, employer names, employer ID numbers, HealthEquity member ID numbers, electronic mail addresses, and for some Michigan-based employees, Social Security numbers.
The breach was found on April 13, 2018 and was found to have happened two days earlier, giving the hacker 48 hours to access messages in the account. Access to the undermined account was swiftly turned off to avoid any more illegal access.
A third-party computer forensics business was contacted to finish a complete review into the attack. The analysis indicated that the breach was limited to a single electronic mail account and access was gotten due to a human fault – the worker responding to a phishing message. No other systems were affected or disclosed by the phishing attack.
Although PHI access was open, no evidence was found to indicate the emails in the account were opened or protected health information was downloaded by the hacker, though as a safety measure, all affected people have been offered free credit checking and identity theft security facilities through ID Experts.
As a HIPAA protected unit, HealthEquity should send notices concerning the breach and release a media notice to a famous mass media outlet within 60 days of identifying of a protected health information breach. That notification was transmitted to ClickOnDetroit. The breach was limited to two businesses, both of which have been warned about the safety occurrence.
The occurrence has yet to be published on the Division of Health and Human Services’ Office for Civil Rights’ (OCR) breach portal, therefore it remains uncertain how many people have been affected by the occurrence.