PHI Undermined in HealthEquity Phishing Attack


A phishing attack on Draper, UT-based HealthEquity Inc., has led to the disclosure of members’ PHI. The data breach was restricted to one electronic mail account, even though an analysis of the messages in the account disclosed a variety of PHI was possibly obtained by the attacker.

Information probably compromised in the attack was restricted to names, deduction amounts, health account type, employer names, employer ID numbers, HealthEquity member ID numbers, electronic mail addresses, and for some Michigan-based workers, Social Security numbers.

The breach was known on April 13, 2018 and was found to have happened two days earlier, giving the attacker 48 hours to access messages in the account. Access to the undermined account was instantly stopped to avoid any more illegal access.

A third-party computer forensics company was hired to carry out a complete examination into the attack. The examination proved that the breach was restricted to a single electronic mail account and access was gained because of human error – the worker replying to a phishing message. No other systems were undermined or affected by the phishing attack.

Although PHI access was possible, no proof was found to indicate the electronic mails in the account were opened or PHI was obtained by the attacker, although out of an abundance of caution, all affected people have been offered free credit checking and identity theft protection facilities through ID Experts.

As a HIPAA protected unit, HealthEquity should send notices regarding the breach and release a media notification to a renowned media outlet within 60 days of detection of a PHI breach. That notification was delivered to ClickOnDetroit. The breach was restricted to two businesses, both of which have been informed regarding the safety occurrence.

The two Michigan businesses affected have been offered five years credit checking and identity theft protection facilities for all people impacted by the breach. Most breached units that offer such facilities only provide 12 months, or in exceptional cases, 24 months access to those facilities. The breach portal of the Division of Health and Human Services’ OCR shows 16,000 patients have been impacted by the occurrence.