June 17, 2018
HealthEquity Inc. has been struck by a phishing attack resulting in the disclosure of members’ PHI. The data breach was limited to one electronic mail account, although an examination of the messages in the account indicated a variety of PHI was possibly stolen by the attacker.
Information probably accessed in the attack was limited to names, health account type, employer names, employer ID numbers, HealthEquity member ID numbers, deduction figures, email addresses, and for some Michigan-based workers, Social Security numbers.
The breach was found on April 13, 2018 and was found to have happened two days earlier, giving the hacker 48 hours to retrieve messages in the account. Access to the undermined account was swiftly turned off to avoid any more illegal access.
A third-party computer forensics business was communicated to finish a complete examination into the attack. The examination disclosed that the breach was limited to a single electronic mail account and access was gained because of a human error – the worker responding to a phishing message. No other systems were affected or exposed by the phishing attack.
Although PHI access was open, no evidence was found to indicate the electronic mails in the account were opened or PHI was downloaded by the hacker, even though as a preventive measure, all affected people have been provided free credit checking and identity theft safety facilities through ID Experts.
As a HIPAA protected organization, HealthEquity should send notices about the breach and release a mass media notification to a famous mass media outlet within 60 days of the finding of a PHI breach. That notification was dispatched to ClickOnDetroit. The breach was limited to two firms, both of which have been warned about the safety occurrence.
The occurrence has yet to be published on the Division of Health and Human Services’ Office for Civil Rights’ (OCR) breach portal, therefore it remains undecided how many people have been affected by the occurrence.