PHI Undermined in HealthEquity Phishing Attack

June 15, 2018


A phishing attack on Draper, UT- situated HealthEquity Inc., has led to the disclosure of members’ PHI. The data breach was restricted to one electronic mail account, even though an examination of the messages in the account disclosed a variety of PHI was possibly obtained by the attacker.

Information probably undermined in the attack was restricted to names, deduction amounts, health account type, employer names, employer ID numbers, HealthEquity member ID numbers, electronic mail addresses, and for some Michigan-based workers, Social Security numbers.

The breach was detected on April 13, 2018 and was found to have happened two days earlier, giving the attacker 48 hours to access messages in the account. Access to the undermined account was instantly stopped to avoid any additional illegal access.

A third-party computer forensics company was hired to carry out a complete inquiry into the attack. The inquiry verified that the breach was restricted to a lone electronic mail account and access was gained because of human error – the worker replying to a phishing message. No other systems were undermined or affected by the phishing attack.

Although PHI access was possible, no proof was found to indicate the electronic mails in the account were opened or PHI was gotten by the attacker, even though out of an abundance of caution, all affected people have been provided free credit checking and identity theft protection facilities through ID Specialists.

As a HIPAA protected unit, HealthEquity must send notices concerning the breach and issue a media notification to a renowned mass media outlet within 60 days of detection of a PHI breach. That notification was provided to ClickOnDetroit. The breach was restricted to two businesses, both of which have been alerted about the safety incident.

The two Michigan businesses affected have been provided five years credit checking and identity theft protection facilities for all people impacted by the breach. Most breached units that provide such facilities only provide 12 months, or in exceptional cases, 24 months access to those facilities. The breach portal of the Division of Health and Human Services’ Office for Civil Rights shows 16,000 patients have been impacted by the occurrence.