Millions of Americans’ personal information was obtained by hackers after a cyberattack on a major health finance company.
A total of 4.3m users’ names, addresses, health history and social security numbers to dangerous actors were obtained after the attack on HealthEquity.
Hackers accessed the information through an unnamed third-party vendor that had access to HealthEquity’s Microsoft Sharepoint data, which allows companies to create and store important files and customers’ full profile information.
The newest attack could prompt a wave of data breaches, financial fraud and identity theft using the information collected from customers’ accounts.
A HealthEquity data breach has put 4.3 million American users’ information at risk, leaving them wondering what information may have been leaked
The data breach occurred in March 2024 but according to a new filing, HealthEquity didn’t confirm its system was breached until June 26, more than three months after the accounts were targeted.
HealthEquity provides health savings accounts, flexible spending accounts, health reimbursement arrangements and 401(k) retirement plans to its 15.7 million customers.
The company claimed hackers used compromised credentials from a third-party vendor to access the information and has currently disabled all accounts that may have been breached.
A HealthEquity spokesperson told Fox News: ‘We have taken immediate, proactive and prudent action since we first discovered an anomaly with our third-party vendor.
‘This included quickly resolving the issue, bringing together a team of outside and internal experts to investigate, and preparing for a response.’
HealthEquity has reportedly disabled all accounts that may have been impacted, blocked all IP addresses linked to the hackers and added a global password reset to its systems.
The investigation into the attack is still ongoing and HealthEquity customers will be notified by mail or email if they were impacted – depending on the contact preference listed on their account.
The investigation into the attack is still ongoing and HealthEquity customers will be notified by mail or email if they were impacted – depending on the contact preference listed on their account
So far, the company said it isn’t aware of any actual or attempted misuse of information, but has ‘formally filed a notification with the Securities and Exchange Commission, which wasn’t required, but represents our concern and commitment to transparent communication,’ the spokesperson told Fox.
‘We regret the inconvenience caused by the incident and are working to minimize disruption while also taking steps to help prevent this from happening in the future.’
Although the exposed data was linked to Microsoft software, HealthEquity told TechCrunch it was an ‘isolated incident’ and wasn’t related to the recent spate of Snowflake breaches where hackers stole millions of customer records from major corporations including banks, healthcare providers and tech companies.
Snowflake is a similar platform that allows businesses to store all company and customer data in one place.
HealthEquity’s breach impacted customers across the US including Ohio, New York, and Oregon.
According to a data breach filing by the office of the Maine Attorney General, consumers should expect to receive written notification by the end of this week if their data was stolen.
HealthEquity reported it is currently monitoring accounts, credit identity information, and restoration services and has advised customers to protect themselves from identity theft by placing a fraud alert on their credit file.
This will stop dangerous actors from opening new credit accounts in your name and can be set up for free through Equifax, Experian, or TransUnion.
DailyMail.com has reached out to HealthEquity for comment.Â